Purple Fox

Purple Fox Description

Purple Fox Trojan

The Purple Fox Trojan downloader is a threat that has been on the radar of malware researchers since 2018. By the end of 2019, the Trojan had allegedly claimed over 30,000 victims worldwide. That number soared to 90,000 by mid-2020 and showed no signs of slowing down.

For the last few years, the crooks who developed the Purple Fox Trojan have relied on many phishing scams and exploit kits in their quest to keep their offspring alive and kicking. Recently, they started using the notorious RIG Exploit Kit to inject their creation into the targeted hosts.

New Implications in 2021

Purple Fox's longevity originates from a rootkit module incorporated within. As a result, Purple Fox successfully evades AV detection when striking a targeted Windows PC. Now, the actors in charge of Purple Fox have made yet another breakthrough which allows the malware to exploit Windows machines with poorly protected SMB protocols using brute force techniques to break their passwords. 

More recent security analyses have shown that the potential scope of new Purple Fox infections may be much greater than expected. The malware may have found a way to compromise an unknown number of old Microsoft IIS 7.5 and Microsoft FTP servers worldwide. Those servers have always had inherent security issues, which turn them into easy prey for cybercrooks. Consequently, those servers are now hosting the Purple Fox malware itself and all of its payloads in the form of multiple MSI packages. If this were not enough, each newly infected machine turns into yet another node in Purple Fox's global network.  

Once reliant upon the NSIS installation tool, Purple Fox’s payload eventually resorted to PowerShell commands. The latter allowed for far more efficient attacks that were less likely to fall victim to anti-malware tools. By contrast, the 2021 wave of Purple Fox infections use a worm-like module to spread further down the line. The worm may either arrive at your inbox under the guise of a phishing campaign or execute itself following a successful SMB brute-force attack. Either way, the worm will look for potential flaws in the web browsers installed on the victim's machines. If successful, the payload will redirect victims to malware-injected URLs storing the Purple Fox MSI file.

The very Purple Fox MSI installer comes disguised as a fake Windows update whose dialogue box contains nothing but Chinese-looking random characters. The random characters' set is unique to each targeted device so that no two Purple Fox MSI installers looked the same. However, this is a pure gimmick — they all share a common origin. Each MSI installer comes with a rootkit and a couple of DLLs for 32- and 64-bit systems, respectively. The rootkit hides specific reg keys and files to prevent security researchers from reverse engineering Purple Fox. On the other hand, the infectious DLL is responsible for isolating the machine from other potential infections, achieving persistence during system startup, and sending probes to port 445 to bruteforce SMB protocols.

While Purple Fox mainly serves to plant crypto-mining payloads onto compromised hosts, its architecture is versatile enough to deploy much more severe infections, as well.

Earlier Developments

Exploit Kits (EK) have not been among the trending cybersecurity threats recently. Yet, a malware family of fileless downloaders delivered through exploit kits known in the past as Purple Fox is now trying to make headlines again. In 2018, over 30,000 users became a victim of Purple Fox. Later on, malware researchers came across a new variant that has added a few more Microsoft exploits to its previous arsenal. This malware's main goal stays, just like before, to deploy other malware threats on target systems, like Trojans, Ransomware, crypto miners, and info stealers.

Previously, threats from the Purple Fox malware family came through the third-party RIG exploit kit. Since 2019, however, the operators of Purple Fox shifted to Microsoft PowerShell to deliver and retrieve malware, making this threat a replacement of the RIG EK. The new ramped-up variant of Purple Fox can now exploit two additional Microsoft vulnerabilities – the first one allows local privilege elevation and is named CVE-2019-1458; the second one, CVE-2020-0674, is a security gap in Internet Explorer. Although both have already had their patches, the willingness of Purple Fox owners to stay on top of current unpatched vulnerabilities signals to malware researchers that they should still keep exploit kits on their radar.

Exploits Used by the Purple Fox Trojan

The Purple Fox Trojan downloader's admins may likely employ other propagation methods, apart from the use of the RIG Exploit Kit. Experts believe that the Purple Fox Trojan may also spread via malvertising campaigns and bogus downloads. Currently, the RIG Exploit Kit used in the spreading of the Purple Fox Trojan is checking victims for several vulnerabilities:

  • VBScript exploits – CVE-2018-8174.
  • Adobe Flash exploit – CVE-2018-15982.
  • Internet Explorer exploits – CVE-2014-6332.
  • If the infiltrated account does not have administrator permissions, the threat will look for CVE-2018-8120 and CVE-2015-1701.

Like prior versions of the Purple Fox downloader, this variant has admin-level privileges used to mask its existence on the system by imitating similar files already present on the host, in the instance, via corrupted drivers.

Purple Fox Exploits Vulnerabilities Through Microsoft PowerShell

Purple Fox attacks unpatched vulnerabilities to run PowerShell and download additional malware on insufficiently protected systems to conduct its malicious actions. Such an attack typically initiates when a user visits a corrupted website injected with a Purple Fox malicious script. The malware detects the vulnerabilities it needs to compromise the system and then infiltrated the target machine while still on the given website. Typically, users land on such dangerous pages after being redirected by malicious ads or spam e-mails.

When the infection has happened by exploiting the CVE-2020-0674 Windows vulnerability, Purple Fox targets the "jscript.dll" library used by the computer's web browser. Then, the malware extracts an address from RegExp in that library, finds the jscript.dll PE header, and then locates the import decryptor with the help of which Purple Fox has loaded its shellcode on the machine. This shellcode then finds WinExec and creates a process that launches the actual malware execution.

Then, Purple Fox uses its rootkit capabilities to hide its registry entries and files after a system reboot. Researchers have observed that Purple Fox enables its rootkit components by abusing an open-source code, which helps the malware hide its DLL and prevent reverse-engineering.

You Can Avoid Purple Fox

Users can avoid falling victim to Purple Fox malware and other similar exploit kits by following some simple tips. The first one would be to keep their Windows system up to date by installing the latest patches for known vulnerabilities. Monitoring and restricting privileges to administrator tools would allow enforcing the principle of least privilege. Also, a professional anti-malware solution that offers advanced layers of security will disarm threats like Purple Fox.

Users need to start taking cybersecurity more seriously. One of the most common recommendations by malware researchers is to keep all your software updated. Unfortunately, the majority of users online find this to be too much of a tedious task. However, suppose all your applications are up-to-date. In that case, a threat like the Purple Fox Trojan downloader will be unable to infiltrate your system as it relies on vulnerabilities found in outdated software. Also, make sure that a legitimate anti-malware solution is present, which will help you detect and remove any unwanted applications.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.