SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purplefox (Back to overview)

win.purplefox


Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References
2021-10-19Trend MicroAbdelrhman Sharshar, Jay Yaneza, Sherif Magdy
@online{sharshar:20211019:purplefox:06308c3, author = {Abdelrhman Sharshar and Jay Yaneza and Sherif Magdy}, title = {{PurpleFox Adds New Backdoor That Uses WebSockets}}, date = {2021-10-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html}, language = {English}, urldate = {2021-10-24} } PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket win.purplefox
2021-07-07Twitter (@C0rk1_H)hyabcd
@online{hyabcd:20210707:purplefox:af42cde, author = {hyabcd}, title = {{Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign}}, date = {2021-07-07}, organization = {Twitter (@C0rk1_H)}, url = {https://twitter.com/C0rk1_H/status/1412801973628272641?s=20}, language = {English}, urldate = {2021-07-19} } Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
win.purplefox
2021-07-01Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20210701:purplefox:fb8c3c4, author = {William Gamazo Sanchez}, title = {{PurpleFox Using WPAD to Target Indonesian Users}}, date = {2021-07-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html}, language = {English}, urldate = {2021-07-02} } PurpleFox Using WPAD to Target Indonesian Users
win.purplefox
2021-06-11TencentThe Tencent Security Threat Intelligence Center
@online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
win.purplefox
2021-04-15nao_sec blognao_sec
@online{naosec:20210415:exploit:b5fe0b8, author = {nao_sec}, title = {{Exploit Kit still sharpens a sword}}, date = {2021-04-15}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html}, language = {English}, urldate = {2021-04-20} } Exploit Kit still sharpens a sword
win.purplefox
2021-04-14HPPatrick Schläpfer
@online{schlpfer:20210414:from:6649630, author = {Patrick Schläpfer}, title = {{From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411}}, date = {2021-04-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/}, language = {English}, urldate = {2021-04-16} } From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
win.purplefox
2021-03-25MalwarebytesMalwarebytes Labs
@online{labs:20210325:perkiler:3733a75, author = {Malwarebytes Labs}, title = {{Perkiler malware turns to SMB brute force to spread}}, date = {2021-03-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/}, language = {English}, urldate = {2021-03-30} } Perkiler malware turns to SMB brute force to spread
win.purplefox
2021-03-24GuardicoreAmit Serper
@online{serper:20210324:purple:86ec5cf, author = {Amit Serper}, title = {{Purple Fox Rootkit Now Propagates as a Worm}}, date = {2021-03-24}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/}, language = {English}, urldate = {2021-03-25} } Purple Fox Rootkit Now Propagates as a Worm
win.purplefox
2019-09-09Trend MicroJohnlery Triunfante, Earle Earnshaw
@online{triunfante:20190909:purple:4a222ca, author = {Johnlery Triunfante and Earle Earnshaw}, title = {{‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell}}, date = {2019-09-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/}, language = {English}, urldate = {2020-01-13} } ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
win.purplefox
2017-07-05Trend MicroKevin Y. Huang
@online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } Security 101: The Impact of Cryptocurrency-Mining Malware
win.purplefox
Yara Rules
[TLP:WHITE] win_purplefox_auto (20211008 | Detects win.purplefox.)
rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 36ee 16 69503fbdb39d53 ee f9 }
            // n = 5, score = 100
            //   36ee                 | out                 dx, al
            //   16                   | push                ss
            //   69503fbdb39d53       | imul                edx, dword ptr [eax + 0x3f], 0x539db3bd
            //   ee                   | out                 dx, al
            //   f9                   | stc                 

        $sequence_1 = { 83c506 66892424 c6042455 8810 66892424 8d642404 e9???????? }
            // n = 7, score = 100
            //   83c506               | add                 ebp, 6
            //   66892424             | mov                 word ptr [esp], sp
            //   c6042455             | mov                 byte ptr [esp], 0x55
            //   8810                 | mov                 byte ptr [eax], dl
            //   66892424             | mov                 word ptr [esp], sp
            //   8d642404             | lea                 esp, dword ptr [esp + 4]
            //   e9????????           |                     

        $sequence_2 = { e4ea 683c72e876 64a20ce26218 1c3a e04e 3c7a }
            // n = 6, score = 100
            //   e4ea                 | in                  al, 0xea
            //   683c72e876           | push                0x76e8723c
            //   64a20ce26218         | mov                 byte ptr fs:[0x1862e20c], al
            //   1c3a                 | sbb                 al, 0x3a
            //   e04e                 | loopne              0x50
            //   3c7a                 | cmp                 al, 0x7a

        $sequence_3 = { 89c1 0fa3d3 e8???????? e8???????? 9c 66c7042496c1 9c }
            // n = 7, score = 100
            //   89c1                 | mov                 ecx, eax
            //   0fa3d3               | bt                  ebx, edx
            //   e8????????           |                     
            //   e8????????           |                     
            //   9c                   | pushfd              
            //   66c7042496c1         | mov                 word ptr [esp], 0xc196
            //   9c                   | pushfd              

        $sequence_4 = { 2466 9b c10113 7167 6aa2 }
            // n = 5, score = 100
            //   2466                 | and                 al, 0x66
            //   9b                   | wait                
            //   c10113               | rol                 dword ptr [ecx], 0x13
            //   7167                 | jno                 0x69
            //   6aa2                 | push                -0x5e

        $sequence_5 = { e79b 391f 75fd 9c }
            // n = 4, score = 100
            //   e79b                 | out                 0x9b, eax
            //   391f                 | cmp                 dword ptr [edi], ebx
            //   75fd                 | jne                 0xffffffff
            //   9c                   | pushfd              

        $sequence_6 = { ff3424 e9???????? 61 647661 7069 3332 2e646c }
            // n = 7, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   e9????????           |                     
            //   61                   | popal               
            //   647661               | jbe                 0x64
            //   7069                 | jo                  0x6b
            //   3332                 | xor                 esi, dword ptr [edx]
            //   2e646c               | insb                byte ptr es:[edi], dx

        $sequence_7 = { 6e bccc7f52dd 9d 8c63b1 c19f5d3803eaa9 }
            // n = 5, score = 100
            //   6e                   | outsb               dx, byte ptr [esi]
            //   bccc7f52dd           | mov                 esp, 0xdd527fcc
            //   9d                   | popfd               
            //   8c63b1               | mov                 word ptr [ebx - 0x4f], fs
            //   c19f5d3803eaa9       | rcr                 dword ptr [edi - 0x15fcc7a3], -0x57

        $sequence_8 = { ce 009e78e87b39 ffe5 17 b50b 91 e76f }
            // n = 7, score = 100
            //   ce                   | into                
            //   009e78e87b39         | add                 byte ptr [esi + 0x397be878], bl
            //   ffe5                 | jmp                 ebp
            //   17                   | pop                 ss
            //   b50b                 | mov                 ch, 0xb
            //   91                   | xchg                eax, ecx
            //   e76f                 | out                 0x6f, eax

        $sequence_9 = { 80fd66 0fbdc9 10d1 66d3e9 }
            // n = 4, score = 100
            //   80fd66               | cmp                 ch, 0x66
            //   0fbdc9               | bsr                 ecx, ecx
            //   10d1                 | adc                 cl, dl
            //   66d3e9               | shr                 cx, cl

    condition:
        7 of them and filesize < 1983488
}
Download all Yara Rules