# Purple Fox Rootkit Now Propagates as a Worm **[guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/](https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/)** ## Executive Summary Purple Fox is an active malware campaign targeting Windows machines. Up until recently, Purple Fox’s operators infected machines by using exploit kits and phishing emails. Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force. Guardicore Labs have also identified Purple Fox’s vast network of compromised servers hosting its dropper and payloads. These servers appear to be compromised Microsoft IIS 7.5 servers. The Purple Fox malware includes a rootkit which allows the threat actors to hide the malware on the machine and make it difficult to detect and remove. ----- ### Introduction During the last few weeks, the Guardicore Labs team have been tracking a new campaign distributing the Purple Fox malware. Purple Fox was discovered in March of 2018 and was covered as an exploit kit targeting Internet Explorer and Windows machines with various privilege escalation exploits. However, throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes. By leveraging the capabilities of GGSN, we were able to track the spread of Purple Fox. As can be seen in the above graph, May of 2020 brought a significant amount of malicious activity and the number of infections that we have observed has risen by roughly 600% and amounted to a total of 90,000 attacks as of writing this paper. While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in previously published articles. Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as ----- nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns. In this blog post we will detail our findings about the new worm activity and share IOCs. ### Attack Analysis The attackers are hosting various MSI packages on nearly 2,000 servers (see IOCs section), which to our assessment are compromised machines which were repurposed to host malicious payloads. Our assumption is based on scanning multiple servers, looking at the services that are hosted on them from the perspective of operating system versions, and server versions. We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels. According to our findings, there are several ways for this campaign to start spreading: 1. The worm payload is being executed after a victim machine is compromised through a vulnerable exposed service (such as SMB). 2. The worm payload is being sent via email through a phishing campaign (which could tie the previously published findings about Purple Fox) which exploits a browser vulnerability. We have identified multiple samples that were submitted to VirusTotal through email scanners. ----- Once code execution is achieved on the victim machine, a new service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05, etc. will be created, the purpose of this service would be to establish persistence and to execute a simple command with a ‘for loop’, the purpose of this command would be to iterate through a number of URLs which contain the MSI that installs Purple Fox on the machine. ----- As can be seen in the screenshot from the Guardicore Centra platform, msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement. It will also be executed with the /Q flag for “quiet” execution, meaning, no user interaction will be required. Once the package is executed, the MSI installer will launch. For analysis purposes,We have executed the MSI installer without the /Q flag (As if it’s being executed directly from an email attachment), the installer will present the following window: The installer pretends to be a Windows Update package along with Chinese text which roughly translates to “Windows Update” and random letters. These letters are randomly generated between each different MSI installer to create a different hash and make it a bit difficult to tie between different versions of the same MSI. This is a “cheap” and simple way of evading various detection methods such as static signatures. Additionally, we have identified MSI packages with the same strings but with random null bytes appended to them in order to create different hashes of the same file. ----- We were, however, able to find many different versions of the same MSI and its payloads, as can be seen in the following screenshot from VT graph. ----- As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package. The MSI package contains three files: 1. A 64bit DLL payload (winupdate64). 2. A 32bit DLL payload (winupdate32). 3. An encrypted file containing a rootkit. As a part of the installation process, the malware modifies the windows firewall by executing multiple netsh commands. The malware adds a new policy named Qianye to the windows firewall. Under this policy, it creates a new filter called Filter1 and under this filter, it prohibits ports 445, 139, 135 on both TCP and UDP from any IP address on the internet (0.0.0.0) to connect to the infected machine, we believe that the attackers are doing it in order to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor. Once the aforementioned files are being extracted, they will be executed. This can be seen as the malware is executing the following commands: ``` netsh.exe ipsec static add policy name=qianye netsh.exe ipsec static add filterlist name=Filter1 netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP netsh.exe ipsec static set policy name=qianye assign=y netsh.exe ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1 netsh.exe ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block ``` Additionally, the malware will install an IPv6 interface on the machine by executing the command: ``` netsh.exe interface ipv6 install ``` ----- This action is taken in order to allow the malware to port scan ipv6 addresses as well to maximize the efficiency of the spread over (usually unmonitored) ipv6 subnets. **Important note:** _These commands can be used as Indicators of Behavior (IoBs) in order to check if your_ _environment is compromised._ Additionally, These netsh commands have also appeared in previous campaigns and are not exclusive to this iteration of Purple Fox. These commands, specifically with the Qianye policy [name have been documented as a part of Rig EK and NuggetPhantom.](https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+Delivering+VBScript/25318/) The last step of Purple Fox’s deployment before restarting the machine is to load the rootkit that’s hidden inside the encrypted payload in the MSI package. [According to our analysis, the rootkit is based on the hidden open source rootkit project.](https://github.com/JKornev/hidden/) The purpose of this rootkit is to hide various registry keys and values, files, etc., as detailed by its author on the git repository. Ironically enough, the hidden rootkit was developed by a security researcher in order to conduct various malware analysis tasks and to keep all of these research tasks hidden from the malware. ----- [This rootkit and its relationship with Purple Fox was detailed in this article by 360 Security.](https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/) Once the rootkit is loaded, the installer will reboot the machine in order to rename the malware DLL into a system DLL file that will be executed on boot. Since we executed the malware in our lab without the /Q flag, we were presented with the following window which asks us to restart the machine: Once the machine is restarted, the malware will be executed as well. After it’s execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute forcing usernames and passwords or by trying to establish a null session. ----- If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 (as mentioned before) that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop. ### Indicators of Compromise [IOCs are available in our IOC github repository](https://github.com/guardicore/labs_campaigns/tree/master/Purple_Fox) -----