HP Threat Research Blog From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411

April 14, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411

Brief history

Purple Fox is a multi-component malware family that was first documented by Qihoo 360 in September 2018. Originally, it was a trojan that was delivered using the Rig exploit kit (EK). Since then its developers have added new capabilities, including a rootkit component and an exploit kit (also known as Purple Fox EK) to deliver the malware. In mid-2020, Proofpoint suggested that Purple Fox EK may have been developed to replace Rig, plausibly as a cost-saving measure to avoid having to pay another entity to distribute the malware. Exploits against two vulnerabilities, CVE-2020-0674 and CVE-2019-1458, were integrated into Purple Fox at this time. The former exploits a vulnerability in Internet Explorer’s scripting engine to gain code execution, while the latter exploits a vulnerability in win32k.sys to run code with elevated privileges.

In October 2020, SentinelOne described a significant change to Purple Fox’s infection chain and the integration of other privilege escalation exploits. In addition to running several stages of obfuscated PowerShell code to infect systems, Purple Fox’s developers added a feature enabling it to extract other malware stages from image files. Notably, malicious code is hidden inside the images using steganography to avoid detection by web proxies and firewalls.

March 2021 – Purple Fox developers add CVE-2021-26411 exploit

On 12 April 2021, we isolated a Purple Fox EK sample from a HP Sure Click Enterprise customer in the Middle East. Interestingly, the sample attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411) that appeared to be a new addition to Purple Fox’s exploit arsenal. Other Purple Fox EK samples exploiting this vulnerability in the wild were also reported by security researchers.

What is notable about this exploit is that the code run by Purple Fox is very similar to a proof of concept (PoC) published by Enki to the public in mid-March 2021. According to Enki, the PoC script was originally exploited in a social engineering campaign targeting security researchers in January 2021. One possible explanation for their similarity is that the Purple Fox developers simply copied the script from that article. Since the time from PoC to in the wild (ITW) sightings was a couple of weeks (Figure 1), organisations only had a small window to patch before risking compromise by Purple Fox.

Figure 1 – Timeline showing the history of CVE-2021-26411. The PoC-to-ITW time is highlighted in orange.

Infection chain

The user encountered Purple Fox EK after searching for the term “نموذج-تمديد-زيارة-” (“Form-extension-visit-” in Arabic) in Google. They clicked on one of the search results to loislandgraf[.]us, which then led to the exploit via several redirects. During the analysis, we noticed that the exploit is not triggered in every case because geofencing was used to control who is targeted. The attacker’s exact strategy in terms of targeted regions remains unclear. The page could not be accessed from countries such as the USA, UK, France, Germany, the Netherlands and Egypt, whereas Italy, Switzerland, Ireland, Sweden and Japan could trigger the infection chain, although this is not an exhaustive list.

Figure 2 – Purple Fox EK web redirections.

Examining the exploit code shows that it is obfuscated in several stages and encrypted using AES. We were able to recover the source code, which shares many similarities to the PoC code released by Enki. The only major difference between the two is that the shellcode in the Purple Fox exploit script is much longer.

Figure 3 – CVE-2021-26411 exploit shellcode.

The shellcode is straightforward to decode. It runs a PowerShell statement that downloads a file from a remote server and executes it once again with PowerShell. The following diagram shows the process flow of the exploit, which was isolated inside a disposable micro-virtual machine by HP Sure Click Enterprise when the user clicked on the link.