PurpleFox (Malware Family)

PurpleFox

VTCollection

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References

2024-02-01 ⋅ Bleeping Computer ⋅ Bill Toulas
PurpleFox malware infects thousands of computers in Ukraine
PurpleFox

2023-09-20 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
FatalRat PurpleFox ValleyRAT

2022-03-28 ⋅ The Hacker News ⋅ Ravie Lakshmanan
'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
FatalRat PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)
PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)
PurpleFox

2022-01-20 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: Purple Fox Rootkit
PurpleFox

2022-01-04 ⋅ The Cyber Security Times ⋅ John Greenwood
Purple Fox malware is actively distributed via Telegram Installers
PurpleFox

2022-01-03 ⋅ MinervaLabs ⋅ Natalie Zargarov
Malicious Telegram Installer Drops Purple Fox Rootkit
PurpleFox

2021-12-13 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
A Look Into Purple Fox’s Server Infrastructure
PurpleFox

2021-10-19 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket PurpleFox

2021-07-07 ⋅ Twitter (@C0rk1_H) ⋅ hyabcd
Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
PurpleFox

2021-07-01 ⋅ Trend Micro ⋅ William Gamazo Sanchez
PurpleFox Using WPAD to Target Indonesian Users
PurpleFox

2021-06-11 ⋅ ⋅ Tencent ⋅ The Tencent Security Threat Intelligence Center
Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
PurpleFox

2021-04-15 ⋅ nao_sec blog ⋅ nao_sec
Exploit Kit still sharpens a sword
PurpleFox

2021-04-14 ⋅ HP ⋅ Patrick Schläpfer
From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
PurpleFox

2021-03-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Perkiler malware turns to SMB brute force to spread
PurpleFox

2021-03-24 ⋅ Guardicore ⋅ Amit Serper
Purple Fox Rootkit Now Propagates as a Worm
PurpleFox

2020-10-19 ⋅ SentinelOne ⋅ Gal Kristal
Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow
PurpleFox

2019-09-09 ⋅ Trend Micro ⋅ Earle Earnshaw, Johnlery Triunfante
‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
PurpleFox

2017-07-05 ⋅ Trend Micro ⋅ Kevin Y. Huang
Security 101: The Impact of Cryptocurrency-Mining Malware
PurpleFox

Yara Rules

[TLP:WHITE] win_purplefox_auto (20230808 | Detects win.purplefox.)

rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945ec 8d45f0 50 8d4dd8 8d55f8 51 }
            // n = 6, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   51                   | push                ecx

        $sequence_1 = { d2de feca 28c3 80d262 9c }
            // n = 5, score = 100
            //   d2de                 | dec                 eax
            //   feca                 | add                 esp, 0xd0
            //   28c3                 | pop                 esi
            //   80d262               | pop                 ebx
            //   9c                   | pop                 ebp

        $sequence_2 = { 66f7d9 c1e810 52 66c1d908 0f9fc5 }
            // n = 5, score = 100
            //   66f7d9               | mov                 dword ptr [esp + 0x48], esi
            //   c1e810               | dec                 eax
            //   52                   | mov                 eax, dword ptr [edx + 0x38]
            //   66c1d908             | dec                 eax
            //   0f9fc5               | mov                 dword ptr [ecx + 8], eax

        $sequence_3 = { 8918 e8???????? 4c8d15a7c70000 4885c0 7404 4c8d5010 8bcb }
            // n = 7, score = 100
            //   8918                 | push                edx
            //   e8????????           |                     
            //   4c8d15a7c70000       | rcr                 cx, 8
            //   4885c0               | setg                ch
            //   7404                 | mov                 dword ptr [esp + 4], edi
            //   4c8d5010             | lea                 esp, [esp + 0x2c]
            //   8bcb                 | jne                 0x18

        $sequence_4 = { 8d45f8 50 6a00 6a00 c745f800000000 }
            // n = 5, score = 100
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_5 = { 488b8d08040000 488d442470 4d8b00 4533c9 ba00000100 4889742428 48899c24f0040000 }
            // n = 7, score = 100
            //   488b8d08040000       | inc                 ebp
            //   488d442470           | xor                 eax, eax
            //   4d8b00               | xor                 edx, edx
            //   4533c9               | inc                 esp
            //   ba00000100           | mov                 dword ptr [esp + 0xa0], esi
            //   4889742428           | dec                 eax
            //   48899c24f0040000     | mov                 dword ptr [esp + 0x20], eax

        $sequence_6 = { ff15???????? 488bc8 ff15???????? 488d1528460000 488bce }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488bc8               | setge               bl
            //   ff15????????         |                     
            //   488d1528460000       | mov                 esi, dword ptr [esp + 4]
            //   488bce               | push                0xca5bf85a

        $sequence_7 = { 8b04c52cbb4000 5d c3 8bff 55 8bec }
            // n = 6, score = 100
            //   8b04c52cbb4000       | jb                  0xfffffff6
            //   5d                   | je                  0x2a
            //   c3                   | dec                 eax
            //   8bff                 | lea                 ecx, [0xc636]
            //   55                   | dec                 eax
            //   8bec                 | dec                 esi

        $sequence_8 = { ffd6 83c410 8d542424 52 8d442410 e8???????? }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   83c410               | add                 esp, 0x10
            //   8d542424             | lea                 edx, [esp + 0x24]
            //   52                   | push                edx
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   e8????????           |                     

        $sequence_9 = { 0f1005???????? f20f100d???????? 4889bc24c8000000 33ff }
            // n = 4, score = 100
            //   0f1005????????       |                     
            //   f20f100d????????     |                     
            //   4889bc24c8000000     | dec                 eax
            //   33ff                 | test                eax, eax

        $sequence_10 = { 51 0f9dc3 8b742404 685af85bca 8b7c240c }
            // n = 5, score = 100
            //   51                   | mov                 dh, 0x14
            //   0f9dc3               | fcomp               qword ptr [edx]
            //   8b742404             | jo                  0x3c
            //   685af85bca           | pop                 ds
            //   8b7c240c             | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_11 = { 56 57 68???????? e8???????? 83c404 6a00 6a00 }
            // n = 7, score = 100
            //   56                   | mov                 edx, ebx
            //   57                   | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | mov                 ecx, eax
            //   6a00                 | dec                 eax
            //   6a00                 | lea                 edx, [0x4628]

        $sequence_12 = { cf b94523340a e8???????? 06 }
            // n = 4, score = 100
            //   cf                   | pushfd              
            //   b94523340a           | mov                 byte ptr ss:[eax], dl
            //   e8????????           |                     
            //   06                   | mov                 byte ptr [esp], 0x13

        $sequence_13 = { b614 dc1a 7038 1f a5 }
            // n = 5, score = 100
            //   b614                 | inc                 esp
            //   dc1a                 | mov                 ecx, edi
            //   7038                 | dec                 eax
            //   1f                   | mov                 dword ptr [esp + 0x20], eax
            //   a5                   | mov                 eax, edi

        $sequence_14 = { 415d 415c 5f c3 4889742478 488bb42490000000 }
            // n = 6, score = 100
            //   415d                 | dec                 eax
            //   415c                 | mov                 ecx, dword ptr [ebp + 0x408]
            //   5f                   | dec                 eax
            //   c3                   | lea                 eax, [esp + 0x70]
            //   4889742478           | dec                 ebp
            //   488bb42490000000     | mov                 eax, dword ptr [eax]

        $sequence_15 = { 8d4df4 51 52 56 6a00 50 }
            // n = 6, score = 100
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   56                   | push                esi
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_16 = { 488b4238 48894108 488b4a50 4885c9 }
            // n = 4, score = 100
            //   488b4238             | mov                 esi, dword ptr [esp + 0x90]
            //   48894108             | push                esi
            //   488b4a50             | push                edi
            //   4885c9               | dec                 eax

        $sequence_17 = { e8???????? 8dbddcfdffff e8???????? 8dbddcfdffff c745fcffffffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8dbddcfdffff         | dec                 eax
            //   e8????????           |                     
            //   8dbddcfdffff         | mov                 ecx, esi
            //   c745fcffffffff       | dec                 eax

        $sequence_18 = { 6685c9 75f1 8d85f8fdffff 56 33f6 8d5002 }
            // n = 6, score = 100
            //   6685c9               | test                cx, cx
            //   75f1                 | jne                 0xfffffff3
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   8d5002               | lea                 edx, [eax + 2]

        $sequence_19 = { 8944241c 52 8d44241c 50 }
            // n = 4, score = 100
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   52                   | push                edx
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   50                   | push                eax

        $sequence_20 = { 4803d8 41b800040000 48899d00040000 e8???????? e9???????? 488b4c2470 ff15???????? }
            // n = 7, score = 100
            //   4803d8               | dec                 eax
            //   41b800040000         | add                 ebx, eax
            //   48899d00040000       | inc                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   488b4c2470           | mov                 eax, 0x400
            //   ff15????????         |                     

        $sequence_21 = { 448bcf 4889442420 e8???????? 8bc7 488d4dd0 33d2 }
            // n = 6, score = 100
            //   448bcf               | dec                 eax
            //   4889442420           | mov                 dword ptr [esp + 0x4f0], ebx
            //   e8????????           |                     
            //   8bc7                 | inc                 ecx
            //   488d4dd0             | pop                 ebp
            //   33d2                 | inc                 ecx

        $sequence_22 = { 8b703c 66f7da 0fbae603 0fca 20c6 01c6 42 }
            // n = 7, score = 100
            //   8b703c               | dec                 eax
            //   66f7da               | mov                 edi, ecx
            //   0fbae603             | dec                 eax
            //   0fca                 | mov                 dword ptr [esp + 0x60], esi
            //   20c6                 | mov                 dword ptr [esp + 0x58], esi
            //   01c6                 | mov                 dword ptr [esp + 0x50], esi
            //   42                   | dec                 eax

        $sequence_23 = { 4883c308 483bdf 72ed 48833d????????00 741f 488d0d36c60000 e8???????? }
            // n = 7, score = 100
            //   4883c308             | mov                 edi, dword ptr [esp + 0xc]
            //   483bdf               | iretd               
            //   72ed                 | mov                 ecx, 0xa342345
            //   48833d????????00     |                     
            //   741f                 | push                es
            //   488d0d36c60000       | mov                 edi, edx
            //   e8????????           |                     

        $sequence_24 = { 57 68???????? 68???????? bf00500000 ff15???????? 50 ff15???????? }
            // n = 7, score = 100
            //   57                   | add                 ebx, 8
            //   68????????           |                     
            //   68????????           |                     
            //   bf00500000           | dec                 eax
            //   ff15????????         |                     
            //   50                   | cmp                 ebx, edi
            //   ff15????????         |                     

        $sequence_25 = { ff15???????? 488d542450 488d0d96b10000 e8???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d542450           | je                  0x44
            //   488d0d96b10000       | dec                 eax
            //   e8????????           |                     

        $sequence_26 = { 3bf3 7d1e 8b4de8 ff15???????? 8b4df8 51 }
            // n = 6, score = 100
            //   3bf3                 | cmp                 esi, ebx
            //   7d1e                 | jge                 0x20
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx

        $sequence_27 = { 52 ffd3 85c0 7507 b802000000 eb1a }
            // n = 6, score = 100
            //   52                   | dec                 eax
            //   ffd3                 | lea                 eax, [0xd668]
            //   85c0                 | dec                 eax
            //   7507                 | cmp                 ebx, eax
            //   b802000000           | ja                  0x43
            //   eb1a                 | dec                 eax

        $sequence_28 = { 9c 368810 c6042413 60 }
            // n = 4, score = 100
            //   9c                   | dec                 eax
            //   368810               | lea                 ecx, [ebp - 0x30]
            //   c6042413             | xor                 edx, edx
            //   60                   | mov                 dword ptr [esp + 0x68], 0x100

        $sequence_29 = { 668b460c 8b5508 6a01 668945e4 }
            // n = 4, score = 100
            //   668b460c             | mov                 ax, word ptr [esi + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   6a01                 | push                1
            //   668945e4             | mov                 word ptr [ebp - 0x1c], ax

        $sequence_30 = { 4533c0 33d2 4489b424a0000000 4889442420 }
            // n = 4, score = 100
            //   4533c0               | dec                 eax
            //   33d2                 | mov                 dword ptr [ebp + 0x400], ebx
            //   4489b424a0000000     | dec                 eax
            //   4889442420           | mov                 ecx, dword ptr [esp + 0x70]

        $sequence_31 = { a1???????? a3???????? a1???????? c705????????bb454000 8935???????? }
            // n = 5, score = 100
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????bb454000     |     
            //   8935????????         |                     

        $sequence_32 = { e8???????? 83c408 33ff eb23 68???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c408               | dec                 esp
            //   33ff                 | lea                 edx, [eax + 0x10]
            //   eb23                 | mov                 ecx, ebx
            //   68????????           |                     

        $sequence_33 = { 4885c0 743f 488b0d???????? 488d1551970000 }
            // n = 4, score = 100
            //   4885c0               | inc                 edx
            //   743f                 | neg                 cx
            //   488b0d????????       |                     
            //   488d1551970000       | shr                 eax, 0x10

        $sequence_34 = { 8b1d???????? 68???????? 50 ffd3 85c0 750c 8b4f08 }
            // n = 7, score = 100
            //   8b1d????????         |                     
            //   68????????           |                     
            //   50                   | dec                 eax
            //   ffd3                 | lea                 ecx, [0xd2e4]
            //   85c0                 | dec                 eax
            //   750c                 | cmp                 ebx, ecx
            //   8b4f08               | jb                  0x43

        $sequence_35 = { c744246800010000 488bf9 4889742460 89742458 89742450 4889742448 }
            // n = 6, score = 100
            //   c744246800010000     | pop                 esp
            //   488bf9               | pop                 edi
            //   4889742460           | ret                 
            //   89742458             | dec                 eax
            //   89742450             | mov                 dword ptr [esp + 0x78], esi
            //   4889742448           | dec                 eax

        $sequence_36 = { 488d0de4d20000 483bd9 723e 488d0568d60000 483bd8 7732 488bd3 }
            // n = 7, score = 100
            //   488d0de4d20000       | movzx               bx, al
            //   483bd9               | rcr                 dh, cl
            //   723e                 | dec                 dl
            //   488d0568d60000       | sub                 bl, al
            //   483bd8               | adc                 dl, 0x62
            //   7732                 | pushfd              
            //   488bd3               | push                ecx

        $sequence_37 = { 48ffce 75a3 8b4504 03c5 8be8 833800 }
            // n = 6, score = 100
            //   48ffce               | sal                 byte ptr [ecx + 0x29], cl
            //   75a3                 | mov                 al, 0x26
            //   8b4504               | mov                 dl, 0x48
            //   03c5                 | sub                 byte ptr [esi + 0x6e], bl
            //   8be8                 | nop                 
            //   833800               | or                  cl, dh

        $sequence_38 = { 897c2404 e8???????? e8???????? 8d64242c 0f850a000000 660fb6d8 }
            // n = 6, score = 100
            //   897c2404             | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8d64242c             | mov                 ecx, dword ptr [edx + 0x50]
            //   0f850a000000         | dec                 eax
            //   660fb6d8             | test                ecx, ecx

        $sequence_39 = { 56 57 4883ec50 8bc9 488d942480000000 ff15???????? }
            // n = 6, score = 100
            //   56                   | inc                 ebp
            //   57                   | xor                 ecx, ecx
            //   4883ec50             | mov                 edx, 0x10000
            //   8bc9                 | dec                 eax
            //   488d942480000000     | mov                 dword ptr [esp + 0x28], esi
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1983488
}

Download all Yara Rules

PurpleFox Propose Change

References

Yara Rules

PurpleFox