PurpleFox (Malware Family)

PurpleFox

VTCollection

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References

2024-02-01 ⋅ Bleeping Computer ⋅ Bill Toulas
PurpleFox malware infects thousands of computers in Ukraine
PurpleFox

2023-09-20 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
FatalRat PurpleFox ValleyRAT

2022-03-28 ⋅ The Hacker News ⋅ Ravie Lakshmanan
'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
FatalRat PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)
PurpleFox

2022-03-25 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)
PurpleFox

2022-01-20 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: Purple Fox Rootkit
PurpleFox

2022-01-04 ⋅ The Cyber Security Times ⋅ John Greenwood
Purple Fox malware is actively distributed via Telegram Installers
PurpleFox

2022-01-03 ⋅ MinervaLabs ⋅ Natalie Zargarov
Malicious Telegram Installer Drops Purple Fox Rootkit
PurpleFox

2021-12-13 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
A Look Into Purple Fox’s Server Infrastructure
PurpleFox

2021-10-19 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy
PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket PurpleFox

2021-07-07 ⋅ Twitter (@C0rk1_H) ⋅ hyabcd
Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
PurpleFox

2021-07-01 ⋅ Trend Micro ⋅ William Gamazo Sanchez
PurpleFox Using WPAD to Target Indonesian Users
PurpleFox

2021-06-11 ⋅ ⋅ Tencent ⋅ The Tencent Security Threat Intelligence Center
Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
PurpleFox

2021-04-15 ⋅ nao_sec blog ⋅ nao_sec
Exploit Kit still sharpens a sword
PurpleFox

2021-04-14 ⋅ HP ⋅ Patrick Schläpfer
From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
PurpleFox

2021-03-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Perkiler malware turns to SMB brute force to spread
PurpleFox

2021-03-24 ⋅ Guardicore ⋅ Amit Serper
Purple Fox Rootkit Now Propagates as a Worm
PurpleFox

2020-10-19 ⋅ SentinelOne ⋅ Gal Kristal
Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow
PurpleFox

2019-09-09 ⋅ Trend Micro ⋅ Earle Earnshaw, Johnlery Triunfante
‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
PurpleFox

2017-07-05 ⋅ Trend Micro ⋅ Kevin Y. Huang
Security 101: The Impact of Cryptocurrency-Mining Malware
PurpleFox

Yara Rules

[TLP:WHITE] win_purplefox_auto (20260504 | Detects win.purplefox.)

rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4f40 660fbae50c 0fb3c7 660fbec2 8d04ed539f9b01 29d1 }
            // n = 6, score = 100
            //   8d4f40               | cmp                 eax, 0x50
            //   660fbae50c           | jl                  0xffffffea
            //   0fb3c7               | jmp                 0x1a
            //   660fbec2             | inc                 ecx
            //   8d04ed539f9b01       | mov                 ecx, dword ptr [eax + 5]
            //   29d1                 | dec                 eax

        $sequence_1 = { 8bf0 8b4dfc ff15???????? 56 68???????? ffd3 83c408 }
            // n = 7, score = 100
            //   8bf0                 | mov                 ebp, dword ptr [ecx + 8]
            //   8b4dfc               | mov                 ecx, dword ptr [ecx + 0x18]
            //   ff15????????         |                     
            //   56                   | inc                 ebp
            //   68????????           |                     
            //   ffd3                 | mov                 ecx, esp
            //   83c408               | dec                 esp

        $sequence_2 = { a3???????? a1???????? c705????????bb454000 8935???????? a3???????? ff15???????? a3???????? }
            // n = 7, score = 100
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????bb454000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_3 = { 410bc0 488d542458 488d0d5fef0000 8905???????? 488d05baa00000 }
            // n = 5, score = 100
            //   410bc0               | lea                 esi, [esi*8 + 0x40fc18]
            //   488d542458           | cmp                 dword ptr [esi], ebx
            //   488d0d5fef0000       | mov                 edx, dword ptr [esi + 4]
            //   8905????????         |                     
            //   488d05baa00000       | add                 esp, 0xc

        $sequence_4 = { 8b742428 66f7d5 8b6c242c 9c 9c 68af6a40e4 }
            // n = 6, score = 100
            //   8b742428             | mov                 ecx, dword ptr [esi + 0xb8]
            //   66f7d5               | dec                 esp
            //   8b6c242c             | lea                 esp, [0x8d03]
            //   9c                   | lock dec            dword ptr [ecx]
            //   9c                   | jne                 0x16
            //   68af6a40e4           | dec                 eax

        $sequence_5 = { 8b11 8d45f4 50 8b45f8 6a00 }
            // n = 5, score = 100
            //   8b11                 | mov                 eax, 0x208
            //   8d45f4               | xor                 eax, eax
            //   50                   | push                0x208
            //   8b45f8               | push                eax
            //   6a00                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_6 = { 8b4dfc c70700000000 8b07 33cd 5e }
            // n = 5, score = 100
            //   8b4dfc               | push                ecx
            //   c70700000000         | ret                 4
            //   8b07                 | push                0x400
            //   33cd                 | lea                 edx, [ebp - 0x454]
            //   5e                   | push                ebx

        $sequence_7 = { 458bcc 4c8bc6 33d2 4889442420 ff15???????? 8bf8 }
            // n = 6, score = 100
            //   458bcc               | xor                 ecx, ecx
            //   4c8bc6               | dec                 eax
            //   33d2                 | mov                 dword ptr [ebp + 0x1f], ebx
            //   4889442420           | dec                 eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 dword ptr [ebp + 0x2f], esi

        $sequence_8 = { 48895d1f 4889752f 48897537 ff15???????? 8bd8 85c0 }
            // n = 6, score = 100
            //   48895d1f             | mov                 dword ptr [esp + 0x40], 0x20
            //   4889752f             | mov                 dword ptr [esp + 0x38], 1
            //   48897537             | dec                 eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 dword ptr [edx + 0x38], ecx
            //   85c0                 | xor                 edx, edx

        $sequence_9 = { 8b5604 83c40c 8d8d7cffffff 51 52 ff15???????? }
            // n = 6, score = 100
            //   8b5604               | add                 esp, 8
            //   83c40c               | mov                 eax, esi
            //   8d8d7cffffff         | pop                 esi
            //   51                   | mov                 esp, ebp
            //   52                   | pop                 ebp
            //   ff15????????         |                     

        $sequence_10 = { 59 59 8b7508 8d34f518fc4000 391e }
            // n = 5, score = 100
            //   59                   | mov                 eax, dword ptr [edi]
            //   59                   | add                 esp, 4
            //   8b7508               | lea                 edx, [eax + 2]
            //   8d34f518fc4000       | lea                 esp, [esp]
            //   391e                 | mov                 cx, word ptr [eax]

        $sequence_11 = { 448bc6 442bc0 488b442450 488d0d697d0000 488b0cc1 }
            // n = 5, score = 100
            //   448bc6               | add                 ecx, dword ptr [esi*4 + 0x410c00]
            //   442bc0               | jmp                 0x11
            //   488b442450           | mov                 ecx, edx
            //   488d0d697d0000       | je                  8
            //   488b0cc1             | mov                 eax, dword ptr [ebp - 0x228]

        $sequence_12 = { 5d c3 56 a3???????? 8d45f8 50 51 }
            // n = 7, score = 100
            //   5d                   | mov                 dword ptr [esp + 0x20], eax
            //   c3                   | mov                 edi, eax
            //   56                   | xor                 edx, edx
            //   a3????????           |                     
            //   8d45f8               | inc                 ecx
            //   50                   | mov                 eax, 0x206
            //   51                   | dec                 eax

        $sequence_13 = { c20400 6800040000 8d95acfbffff 53 52 }
            // n = 5, score = 100
            //   c20400               | mov                 dword ptr [esp + 0x40], eax
            //   6800040000           | dec                 eax
            //   8d95acfbffff         | mov                 dword ptr [esp + 0x48], eax
            //   53                   | dec                 esp
            //   52                   | lea                 ebx, [esp + 0x50]

        $sequence_14 = { 4889442458 4889442460 4889442468 e8???????? 488d8d80010000 448bc7 33d2 }
            // n = 7, score = 100
            //   4889442458           | jne                 0x1e
            //   4889442460           | dec                 eax
            //   4889442468           | mov                 ecx, dword ptr [ebp + 0x6f]
            //   e8????????           |                     
            //   488d8d80010000       | dec                 eax
            //   448bc7               | mov                 dword ptr [esp + 0x58], eax
            //   33d2                 | dec                 eax

        $sequence_15 = { d1d1 cf 4d 7961 24c2 3a3b ea???????????? }
            // n = 7, score = 100
            //   d1d1                 | mov                 ebx, ecx
            //   cf                   | dec                 eax
            //   4d                   | test                eax, eax
            //   7961                 | je                  0x7e
            //   24c2                 | dec                 eax
            //   3a3b                 | lea                 ecx, [0x966f]
            //   ea????????????       |                     

        $sequence_16 = { a3???????? bd79c7c7fd dbd1 25346acfea }
            // n = 4, score = 100
            //   a3????????           |                     
            //   bd79c7c7fd           | inc                 eax
            //   dbd1                 | dec                 ecx
            //   25346acfea           | inc                 eax

        $sequence_17 = { ffc0 49ffc0 83f850 7ce2 eb10 418b4805 }
            // n = 6, score = 100
            //   ffc0                 | mov                 ebx, ecx
            //   49ffc0               | dec                 esp
            //   83f850               | lea                 ebx, [0xa117]
            //   7ce2                 | inc                 ecx
            //   eb10                 | or                  eax, eax
            //   418b4805             | dec                 eax

        $sequence_18 = { 4883ec20 488bd9 e8???????? 4c8d1d17a10000 }
            // n = 4, score = 100
            //   4883ec20             | pop                 ecx
            //   488bd9               | pop                 ecx
            //   e8????????           |                     
            //   4c8d1d17a10000       | mov                 esi, dword ptr [ebp + 8]

        $sequence_19 = { 3d31040000 7415 50 68???????? e8???????? 83c408 33ff }
            // n = 7, score = 100
            //   3d31040000           | push                edx
            //   7415                 | mov                 edx, dword ptr [ecx]
            //   50                   | lea                 eax, [ebp - 0xc]
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | push                eax
            //   33ff                 | mov                 eax, dword ptr [ebp - 8]

        $sequence_20 = { 488bd8 4885c0 751c 488b4d6f }
            // n = 4, score = 100
            //   488bd8               | dec                 eax
            //   4885c0               | mov                 ebx, eax
            //   751c                 | dec                 eax
            //   488b4d6f             | test                eax, eax

        $sequence_21 = { 488bd9 4885c0 7479 488d0d6f960000 483bc1 746d }
            // n = 6, score = 100
            //   488bd9               | sub                 eax, 8
            //   4885c0               | shr                 eax, 1
            //   7479                 | lea                 edx, [ebx + 8]
            //   488d0d6f960000       | mov                 esi, eax
            //   483bc1               | sar                 esi, 5
            //   746d                 | shl                 ecx, 6

        $sequence_22 = { 8b07 83c404 8d5002 8d642400 668b08 }
            // n = 5, score = 100
            //   8b07                 | call                ebx
            //   83c404               | add                 esp, 8
            //   8d5002               | push                0
            //   8d642400             | push                edx
            //   668b08               | push                esi

        $sequence_23 = { ff15???????? 8bf8 85c0 786d ba58000000 33c9 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8bf8                 | mov                 dword ptr [esp + 0x60], esi
            //   85c0                 | mov                 dword ptr [esp + 0x58], esi
            //   786d                 | mov                 dword ptr [esp + 0x50], esi
            //   ba58000000           | dec                 eax
            //   33c9                 | mov                 dword ptr [esp + 0x48], esi

        $sequence_24 = { 8bf0 c1fe05 c1e106 030cb5000c4100 eb02 8bca }
            // n = 6, score = 100
            //   8bf0                 | je                  0x1c
            //   c1fe05               | push                eax
            //   c1e106               | add                 esp, 8
            //   030cb5000c4100       | xor                 edi, edi
            //   eb02                 | sar                 eax, 5
            //   8bca                 | mov                 esi, edi

        $sequence_25 = { f5 c1c002 85e2 e9???????? }
            // n = 4, score = 100
            //   f5                   | mov                 ecx, dword ptr [ecx + eax*8]
            //   c1c002               | dec                 eax
            //   85e2                 | add                 esp, 0x40
            //   e9????????           |                     

        $sequence_26 = { 4883c440 5b c3 448b4310 8bd0 488bcb e8???????? }
            // n = 7, score = 100
            //   4883c440             | inc                 eax
            //   5b                   | cmp                 eax, 4
            //   c3                   | ja                  0xff
            //   448b4310             | dec                 eax
            //   8bd0                 | sub                 esp, 0x20
            //   488bcb               | dec                 eax
            //   e8????????           |                     

        $sequence_27 = { 8b55d8 52 ffd6 33c0 5f 5e }
            // n = 6, score = 100
            //   8b55d8               | mov                 dword ptr [esp + 0x24], eax
            //   52                   | mov                 dword ptr [esp + 0x2c], eax
            //   ffd6                 | mov                 dword ptr [esp + 0x30], eax
            //   33c0                 | mov                 esi, eax
            //   5f                   | mov                 ecx, dword ptr [ebp - 4]
            //   5e                   | push                esi

        $sequence_28 = { 1052f1 89550b 01c7 55 51 1dd3cb602e 357f437332 }
            // n = 7, score = 100
            //   1052f1               | pop                 ebx
            //   89550b               | ret                 
            //   01c7                 | inc                 esp
            //   55                   | mov                 eax, dword ptr [ebx + 0x10]
            //   51                   | mov                 edx, eax
            //   1dd3cb602e           | dec                 eax
            //   357f437332           | mov                 ecx, ebx

        $sequence_29 = { 68???????? 6a00 52 56 }
            // n = 4, score = 100
            //   68????????           |                     
            //   6a00                 | mov                 eax, esi
            //   52                   | xor                 edx, edx
            //   56                   | dec                 eax

        $sequence_30 = { c744246800010000 4889742460 89742458 89742450 4889742448 c744244020000000 c744243801000000 }
            // n = 7, score = 100
            //   c744246800010000     | mov                 dword ptr [esp + 0x60], eax
            //   4889742460           | dec                 eax
            //   89742458             | mov                 dword ptr [esp + 0x68], eax
            //   89742450             | dec                 eax
            //   4889742448           | lea                 ecx, [ebp + 0x180]
            //   c744244020000000     | inc                 esp
            //   c744243801000000     | mov                 eax, edi

        $sequence_31 = { c1f805 8bf7 83e61f c1e606 033485000c4100 c745e401000000 33db }
            // n = 7, score = 100
            //   c1f805               | push                0
            //   8bf7                 | mov                 edx, dword ptr [ebp - 0x28]
            //   83e61f               | push                edx
            //   c1e606               | call                esi
            //   033485000c4100       | xor                 eax, eax
            //   c745e401000000       | pop                 edi
            //   33db                 | pop                 esi

        $sequence_32 = { 48894a38 33d2 488bc8 ff15???????? }
            // n = 4, score = 100
            //   48894a38             | xor                 edx, edx
            //   33d2                 | mov                 dword ptr [esp + 0x68], 0x100
            //   488bc8               | dec                 eax
            //   ff15????????         |                     

        $sequence_33 = { 8b3d???????? 03d9 8d4900 8b4304 83e808 d1e8 8d5308 }
            // n = 7, score = 100
            //   8b3d????????         |                     
            //   03d9                 | mov                 ecx, dword ptr [ebp - 4]
            //   8d4900               | mov                 dword ptr [edi], 0
            //   8b4304               | mov                 eax, dword ptr [edi]
            //   83e808               | xor                 ecx, ebp
            //   d1e8                 | pop                 esi
            //   8d5308               | cmp                 eax, 0x431

        $sequence_34 = { 85c0 0f850a010000 488b8eb8000000 4c8d25038d0000 f0ff09 7511 }
            // n = 6, score = 100
            //   85c0                 | lea                 ecx, [ebp - 0x84]
            //   0f850a010000         | push                ecx
            //   488b8eb8000000       | push                edx
            //   4c8d25038d0000       | add                 ebx, ecx
            //   f0ff09               | lea                 ecx, [ecx]
            //   7511                 | mov                 eax, dword ptr [ebx + 4]

        $sequence_35 = { 55 2d0a08766e 6abd 80e96b 60 }
            // n = 5, score = 100
            //   55                   | dec                 eax
            //   2d0a08766e           | cmp                 eax, ecx
            //   6abd                 | je                  0x7e
            //   80e96b               | inc                 esp
            //   60                   | mov                 eax, esi

        $sequence_36 = { 488d0d97210000 4c8be2 48897810 ff15???????? 498b8c24b8000000 448b6908 8b4918 }
            // n = 7, score = 100
            //   488d0d97210000       | dec                 eax
            //   4c8be2               | mov                 ecx, eax
            //   48897810             | mov                 edi, eax
            //   ff15????????         |                     
            //   498b8c24b8000000     | test                eax, eax
            //   448b6908             | js                  0x6f
            //   8b4918               | mov                 edx, 0x58

        $sequence_37 = { 33c0 6808020000 50 89442420 89442424 8944242c 89442430 }
            // n = 7, score = 100
            //   33c0                 | dec                 esp
            //   6808020000           | mov                 esp, edx
            //   50                   | dec                 eax
            //   89442420             | mov                 dword ptr [eax + 0x10], edi
            //   89442424             | dec                 ecx
            //   8944242c             | mov                 ecx, dword ptr [esp + 0xb8]
            //   89442430             | inc                 esp

        $sequence_38 = { 896c243c 660fcf 68e6ef209f 6687cb 0f98c3 8774243c 53 }
            // n = 7, score = 100
            //   896c243c             | inc                 esp
            //   660fcf               | sub                 eax, eax
            //   68e6ef209f           | dec                 eax
            //   6687cb               | mov                 eax, dword ptr [esp + 0x50]
            //   0f98c3               | dec                 eax
            //   8774243c             | lea                 ecx, [0x7d69]
            //   53                   | dec                 eax

        $sequence_39 = { 4803c3 eb02 33c0 488d154bb00000 488bc8 e8???????? }
            // n = 6, score = 100
            //   4803c3               | lea                 edx, [esp + 0x58]
            //   eb02                 | dec                 eax
            //   33c0                 | lea                 ecx, [0xef5f]
            //   488d154bb00000       | dec                 eax
            //   488bc8               | lea                 eax, [0xa0ba]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1983488
}

Download all Yara Rules

PurpleFox Propose Change

References

Yara Rules

PurpleFox