# PurpleFox Using WPAD to Target Indonesian Users **[trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html](https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html)** July 1, 2021 [In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure](https://www.trendmicro.com/en_us/research/20/i/purple-fox-ek-relies-on-cloudflare-for-stability.html) resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack [chain by incorporating the latest public vulnerabilities into its arsenal.](https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html) Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has been around for approximately 14 years, it still works. [Initiatives to prevent this attack help, but they are not sufficient.](https://www.wpadblock.com/) Our systems started detecting victims accessing the “wpad.id” domain, which makes use of the Indonesian top level domain (*.id). We did not find any other country top level domain affected. Using this technique, a zero-click attack can be implemented, as the WPAD URL is accessed whenever the system starts, without any user input. **PurpleFox WPAD landing page** To abuse WPAD, the PurpleFox authors registered the domain “wpad.id” with Cloudflare. They then load the URL for WPAD services, which is [located at http://wpad[.]id/wpad[.]dat. At the time of analysis, this would return a standalone JavaScript version of the CVE-2019-1367 with](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1367) custom shellcode to follow the attack chain setup for the WPAD attack. Figure 1 shows the WPAD resolution and malicious sample delivery. Figure 1. CVE-2019-1367 exploit delivery using WPAD ----- Figure 2. The CVE-2019-1367 JavaScript standalone exploit The custom shellcode downloads the next stage from the URL http://9kf[.]me/in[.]php?id=1. The domain “9kf.me” was no longer accessible by the time we analyzed the samples, but we were be able to find two more active domains, “2kf.me” and “6kf.me,” that contained the same payload. Following the request logic, we retrieved the full chain used in this deployment. The PurpleFox chain is designed with multiple complicated [stages abusing PowerShell and MSI files as previously described by Trend Micro and other researchers. This post will not go into the details;](https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/) we will limit ourselves to showing how the two domains are chained to deliver the full attack chain. ----- Figure 3. The 2kf.me domain redirecting to 6kf.me The domain resolution and access to the attack chain artifacts are all being proxied through Cloudflare servers, as shown in the Figure 4. Figure 4. The attack chain [Analysis of the full chain revealed that the following CVEs were being exploited: CVE-2020-1054,](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1054) [CVE-2018-8120, as well as an exploit for](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8120) MS15-051. The binary exploiting the MS15-051 leak the symbols path C:\Users\K8team\Desktop\ms15-051\ms15-051\ms15-051\Win32\ms15_[05, suggesting that PurpleFox is reusing tools from K8team, which is responsible for maintaining public repositories of CVE exploits POCs and](https://github.com/k8gege/K8tools)_ hack tools. **Defending against PurpleFox** The PurpleFox Exploit Kit continues to be very active and appear to be looking for new infection tactics. Our feedback shows that this specific attempt is not only affecting Indonesian victims, as users in other countries who are using the Indonesian TLD are being affected as well. At same time, PurpleFox is trying to reach servers where the user interaction is minimal but are potentially affected by the WPAD technique, such as unattended machines. Continuous vigilance against threat groups is an important aspect of keeping up with — if not staying one step ahead of — threats. To protect [systems from this type of threat, users can use multilayered security solutions like Trend Micro Protection Suites that help detect and block](https://www.trendmicro.com/en_us/business/products/user-protection.html) attacks. [Trend Micro Vision One™ also provides visibility, correlated detection, and behavior monitoring across multiple layers, such as emails,](https://www.trendmicro.com/en_us/business/products/detection-response.html) ----- e dpo ts, se e s, a d c oud o oads s e su es t at o s g ca t c de ts go u ot ced a d a o s aste espo se to t eats be o e they can do any real damage to the system. **Indicators of Compromise** _Files_ SHA256 Filename Trend Micro Detection Name 1aa1df57f786224f4997f1d6284a123176291f3f3d43bc4b942ae423c58cc356 winupdate64.log Trojan.Win64.FUPORPLEX.D 3039208b2a34bb2e71bc6a77ae3be2fa588abd359fdb0068253739f3839f3425 2020-09-09_16-2529_764_raw.githack.store_P11-2_PurpleFox.exe.bak Trojan.Win32.CVE20188120.E 36725374d7ec66c9876eb1d5edc2a5889643e01dbd0ac7a6705babbc3c3ea6a9 M0011.cab Trojan.Win32.FUPORPLEX.E 61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239 1505132.jpg TROJ_CVE20151701.B 905cc7b3027cad361ae7a29969dfd7e63f8f1189d7e0abdf5b2efe0f1ec13e5c pe_1 Trojan.Win32.CVE20190808.A db7c4a360b460a13148d6e5fff530afaa0fa161959166cdab342d0aa9760ba68 sysupdate.log Backdoor.Win32.FUPORFLEX f09c502f4b5862641b3c3eff19ae96d949fab465b3fddd1888fe945817c9e2fd N/A Trojan.Win32.FUPORPLEX.E _URLs_ http://2kf[.]me/in[.]php http://6kf[.]me/in[.]php http://9kf[.]me/in[.]php Cyber Threats The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users. By: William Gamazo Sanchez July 01, 2021 Read time: ( words) Content added to Folio -----