Purple Fox Malware

Purple Fox is a combined fileless rootkit and backdoor trojan, that is also able to act as an exploit kit. Believed to be sold through several Russian-speaking hacking forums, Purple Fox has been used in a number of campaigns to deliver ransomware tools, spyware, and cryptocurrency mining malware.

Older Purple Fox variants relied on the RIG exploit kit for delivery; with some variants also using trojanised versions of legitimate applications hosted on third-party sites for distribution. However, in September 2019, new Purple Fox variants began to be observed that appeared to use built-in exploit kit (known as PFEK) functionality to replace RIG. PFEK uses the Popcash malvertising network to redirect users to attacker-controlled landing pages, where the exploit kit component attempt to fingerprint them. If any visitor matches the desired user profile, PFEK deploys an Internet Explorer scripting engine exploit alongside a local privilege escalation exploit to gain initial access.

When successfully executed, Purple Fox will inject a DLL containing its rootkit into a new svchost process. It then connects to a command and control server and uploads user and system information. Intended payloads are retrieved using either the NSIS tool in older Purple Fox versions, with newer versions using PowerShell.

Indicators of compromise

SHA256

  • 07191e65af30541f71e876b6037079a070a3 4c435641897dc788c15e5f62f53c
  • 09a6fe2764de81c7c5d588dc0542230a0d36 aac69305139349fa43f4ab5a09d4
  • 14ae024e8e580904113eea52ce2a000b37b 2998c2f257d3bc2cd176e8d9de1a2
  • 164e96f9c19277d40cf58102c1d6fd75dab47 bce4f79065ef996a2588b3f737a
  • 33a584a0d4907b063af867fd33cc39362b74 e96e72d2ad97db7748131364eab1
  • 3e2c3d27d06c3b8a0106282b5d24dc6a44af 7fdad74bc4993a3f3bcb7a82858d
  • 498496827afc0aa5960d1cb1d60f7ae7699e 0906e3a8c657b6864cff10772df0
  • 507fbe71ec4e059a6cffbf1f7c075073e51c20f a1bb0c9dbc830b5ad5179450a
  • 517a523039a21e1961088cac8236bf5f6ee1 97d6a47d08abf114ee3418af0c08
  • 61113a0acd6469ce0d860db55c2afa3cdcba c2f5411fe8259cca43c10c042239
  • 87ea8d5bcd1056e76af822896db63f07732d bfab3fc632e7cf13802ae68afc40
  • 9b77436cc2d53461d0a5a69189e15bbd6cd61cb714b4c53d42e3743d515bcf26
  • a5a6be8b51439c793d903fb92c952c729db8 e8050010c499607ee512f42bceff
  • ac05a938bbfc4ff0daeb1e45b6ccfdd7cae5bd 6aa6e54c49ec6c8feef2ae06c4
  • b2cb65c9ac36f1e3fb31dfd5235c29b396be0 968e6b225d625dc3c8fd72395f4
  • ca7bd2830405ed53fd7f56738d7644ff8ecfd5 bc63d079d322c99601c6106843
  • d9155d5e89692fac89a4defeb146ab6ad508 d951bc4948067b44e5d0a6582b72
  • db09af7752eab8227c9ee1edad061a13aba0 8a6a53289a9c9bba9da2e6cc1f5f
  • f0b0e0548b218fb81940a4daf85c3709b2159 bb357cab2f55576af3d75d47094

Domains

  • casestudybuddy[.]club
  • jeitacave[.]org
  • nw[.]brownsine[.]com
  • raw[.]githack[.]xyz
  • rawcdn[.]githack[.]com
  • shiory[.]annebruce[.]xyz
  • zopso[.]org

URLs

  • 141[.]98[.]216[.]130/1505132[.]jpg
  • 141[.]98[.]216[.]130/1505164[.]jpg
  • 141[.]98[.]216[.]130/1603232[.]jpg
  • 141[.]98[.]216[.]130/1603264[.]jpg
  • 141[.]98[.]216[.]130/1808132[.]jpg
  • 141[.]98[.]216[.]130/1808164[.]jpg
  • 141[.]98[.]216[.]130/pe[.]jpg
  • jeitacave[.]org/ps004[.]jpg
  • raw[.]githack[.]xyz/1DHRBFPLZTEQRRBUB[.]jpg
  • raw[.]githack[.]xyz/SdTC8df7vmDNIUuV1[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505132[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505164[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808132[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808164[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1905864[.]jpg
  • rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/pe[.]jpg

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: