HP Threat Research Blog From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411

April 14, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411

Brief history

Purple Fox is a multi-component malware family that was first documented by Qihoo 360 in September 2018. Originally, it was a trojan that was delivered using the Rig exploit kit (EK). Since then its developers have added new capabilities, including a rootkit component and an exploit kit (also known as Purple Fox EK) to deliver the malware. In mid-2020, Proofpoint suggested that Purple Fox EK may have been developed to replace Rig, plausibly as a cost-saving measure to avoid having to pay another entity to distribute the malware. Exploits against two vulnerabilities, CVE-2020-0674 and CVE-2019-1458, were integrated into Purple Fox at this time. The former exploits a vulnerability in Internet Explorer’s scripting engine to gain code execution, while the latter exploits a vulnerability in win32k.sys to run code with elevated privileges.

In October 2020, SentinelOne described a significant change to Purple Fox’s infection chain and the integration of other privilege escalation exploits. In addition to running several stages of obfuscated PowerShell code to infect systems, Purple Fox’s developers added a feature enabling it to extract other malware stages from image files. Notably, malicious code is hidden inside the images using steganography to avoid detection by web proxies and firewalls.

March 2021 – Purple Fox developers add CVE-2021-26411 exploit

On 12 April 2021, we isolated a Purple Fox EK sample from a HP Sure Click Enterprise customer in the Middle East. Interestingly, the sample attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411) that appeared to be a new addition to Purple Fox’s exploit arsenal. Other Purple Fox EK samples exploiting this vulnerability in the wild were also reported by security researchers.

What is notable about this exploit is that the code run by Purple Fox is very similar to a proof of concept (PoC) published by Enki to the public in mid-March 2021. According to Enki, the PoC script was originally exploited in a social engineering campaign targeting security researchers in January 2021. One possible explanation for their similarity is that the Purple Fox developers simply copied the script from that article. Since the time from PoC to in the wild (ITW) sightings was a couple of weeks (Figure 1), organisations only had a small window to patch before risking compromise by Purple Fox.

Figure 1 – Timeline showing the history of CVE-2021-26411. The PoC-to-ITW time is highlighted in orange.

Infection chain

The user encountered Purple Fox EK after searching for the term “نموذج-تمديد-زيارة-” (“Form-extension-visit-” in Arabic) in Google. They clicked on one of the search results to loislandgraf[.]us, which then led to the exploit via several redirects. During the analysis, we noticed that the exploit is not triggered in every case because geofencing was used to control who is targeted. The attacker’s exact strategy in terms of targeted regions remains unclear. The page could not be accessed from countries such as the USA, UK, France, Germany, the Netherlands and Egypt, whereas Italy, Switzerland, Ireland, Sweden and Japan could trigger the infection chain, although this is not an exhaustive list.

Figure 2 – Purple Fox EK web redirections.

Examining the exploit code shows that it is obfuscated in several stages and encrypted using AES. We were able to recover the source code, which shares many similarities to the PoC code released by Enki. The only major difference between the two is that the shellcode in the Purple Fox exploit script is much longer.

Figure 3 – CVE-2021-26411 exploit shellcode.

The shellcode is straightforward to decode. It runs a PowerShell statement that downloads a file from a remote server and executes it once again with PowerShell. The following diagram shows the process flow of the exploit, which was isolated inside a disposable micro-virtual machine by HP Sure Click Enterprise when the user clicked on the link.

Figure 4 – Process execution flow in HP Sure Controller, showing the exploit that HP Sure Click Enterprise isolated.

The execution of the malware largely corresponds to the infection chain already described by SentinelOne. The script checks whether the user is an administrator and installs the malware using an MSI file if this is the case. If the user is not an administrator, further malware modules are downloaded from the Internet. Steganography now comes into play.

Figure 5 – Purple Fox EK steganographic images (code removed).

PowerShell scripts are extracted from the downloaded images, which are then executed and lead to privilege escalation through one of the integrated exploits:

  • CVE-2015-1701
  • CVE-2018-8120
  • CVE-2019-1458
  • CVE-2019-0808
  • CVE-2020-1054
  • CVE-2021-1732 (Nb. The exploit delivered by Purple Fox EK is similar to this publicly available PoC.)

If the exploit is successful, then the MSI and the payload is installed on the client.

Conclusion

Although we have seen fewer sightings of EKs since 2017, the active development of Purple Fox EK suggests this malware delivery method has not gone completely out of fashion. Purple Fox has been around for over two and a half years, during which its developers have regularly extended the EK with new exploits and additional functionality to bypass detection. The addition of a CVE-2021-26411 exploit about a month after the release of the patch does not rule out the possibility that the vulnerability was exploited by the malware before. However, the code similarity between the Enki PoC and the exploit code run by Purple Fox demonstrates how malware developers can easily and quickly adapt public exploit code to their needs. The short time from PoC to real-world sightings once again shows how important it is to patch security vulnerabilities promptly and to monitor and detect anomalies as they occur.

Indicators of Compromise

JavaScript:
be9fc372f19c9a50c1a72bfb0a59e8c61188ea5c249fee0f861d91943b7e44ff
46114cd251ce7724db978be8ade624c798b125467e1599fac19a31ff099c94d7
bfa9cc5c1ce788349e8c215ce100a8d91f620b12d0b89de9e84aac4e9c271f99

PowerShell:
a1cf6f10a700c70d95941497164b03b08ea63eb3b8f67d88255bf775aa564d1f
a4237b2123f701136a2e1e01eb2fefcb99a8f2ee32ad147e2280fa39aa3f0109
f7938b01fc97daa164bce34c5cd0ab4c02a8c58c9d4a7102364dd9dfe0f90d30

MSI:
f68e95cde6170068ca64f57f34757ddfe9386c888090d02afb32a89204b8bc09
7a8469d5ca87ce05b91cc1e22183513af54f26a0b9684a2f31e6ab243fa2ffde
231485bfd3e299ba3cc51fc6ce48a60b8d205adb3c9c0662210a2e654f593967

Images containing code hidden using steganography:
d20ccd52ffd1a3b831c65a1f1f7955494d267cdf5df3df7a95c47f4de34f72c2
01f954cbc2e1b35c67f86e1ae090f4641ce9d7a40efe0b73517d1817274ffab9
2dea273fa8f6f15297d0f0f98d7e27ac1ec02b59b81c6b7888ae3b99c57b3d8f
419848f8832a9a4cefdfff4d712922cce05aa72bd47b84aafc5276d050072111
0cb6e176a87702a779b73b5cf4787f5dfc6ebf763c895ec37a6422b8335287ab
1a71c739d20fb3c8649a7e620d0d046ba01a3cbeddc5d3b2c2d7fa3b136bae12

Privilege escalation exploits:
ca7bd2830405ed53fd7f56738d7644ff8ecfd5bc63d079d322c99601c6106843
7b9a0b674d9502abe5a7227ef60f3854ef6e12803a74b480581a199c6df3165c
e0092a2d0da3eb745d0b0fbf57c0f68ea781770c216ff7bdeb4cd0029bd4d1c3
079c13fbc30a32e4f0386cd53c56d68404961b8f1cd4d4fde1a1e9def42aa557
7465b738ba31fa2fff7fef1d770ef32e43b01d49a937b3b1c11dc2e4e45fd019
90658e4d79007577c3ad13a79a9d47f39c6949dcca3ee618de476c27b214c5a1

Domains:
www.loislandgraf[.]us
www.healthier-patriot[.]shop
iauisdoenki[.]xyz
eyoruas.iauisdoenki[.]xyz
veoipc.ahntncaiiribi[.]xyz
ahntncaiiribi[.]xyz
cnghfekiutetw[.]xyz
iauisdoenki[.]xyz
ktecydnn[.]xyz
vmendehep[.]xyz
ktecydnn[.]xyz
broad-block-d151.weteon.workers[.]dev
plain-forest-2233.ethcrartb.workers[.]dev
shy-feather-00c8.itttsfbir.workers[.]dev
summer-shadow-5f60.oryfannne.workers[.]dev
rawcdn.githack[.]net

2021-05-12T03:53:29-07:00April 14th, 2021|Threat Research|

Leave A Comment