Purple Fox is a long-standing threat that has evolved with a new arrival vector and early access loaders, distributing trojanized installers masquerading as legitimate apps. This campaign expands the botnet by introducing new payloads, including a FatalRAT variant and enhanced rootkit/AV-evasion capabilities. Hashtags: #PurpleFox #FatalRAT
Keypoints
- The attackers distribute malware via disguised software packages that masquerade as legitimate installers, using names like Telegram, WhatsApp, Adobe, and Chrome.
- The installers determine which second-stage payload to deliver based on a single character in the installer filename, guiding which payloads are dropped.
- Second-stage payloads are hosted on an exposed HTTP file server (HFS) and updated over time, with researchers tracking update frequency.
- Notable components include a shellcode-based user-mode loader, a rootkit with AV-evasion capabilities, and a remote access trojan (FatalRAT) that is incrementally updated across clusters.
- The attack chain uses an svchost.txt container to house multiple PE modules; the order and content are driven by the requested package’s last character.
- New capabilities include a kernel-mode AV killer rootkit with IOCTL commands to disable or interfere with security tools (e.g., mini-filter drivers).
- Threat actors abuse revoked/stolen code signing certificates to sign kernel drivers, enabling persistence and evasion, with ties to Hangzhou Hootian Network Technology, Shanghai Oceanlink Software Technology, and Shanghai easy kradar Information Consulting.
MITRE Techniques
- [T1036] Masquerading – The attackers distribute their malware using disguised software packages that encapsulate the first stage loader. They use popular legitimate application names like Telegram, WhatsApp, Adobe, and Chrome to hide their malicious package installers. ‘The attackers distribute their malware using disguised software packages that encapsulate the first stage loader. They use popular legitimate application names like Telegram, WhatsApp, Adobe, and Chrome to hide their malicious package installers.’
- [T1195] Supply Chain Compromise – The installers are actively distributed online to trick users and increase the overall botnet infrastructure. ‘The installers are actively distributed online to trick users and increase the overall botnet infrastructure.’
- [T1105] Ingress Tool Transfer – The second stage payload is added as the single character in the request sent by the execution parent to the first stage C&C server; it is retrieved through the module filename’s last character. ‘The second stage payload is added as the single character in the request … It is retrieved through the module filename’s last character.’
- [T1055] Process Injection – Shellcode user-mode loader loads a PE module in memory and parses system APIs addresses to execute modules. ‘Shellcode user-mode loader and anti-forensics methods’ and ‘loads a PE module in memory.’
- [T1014] Rootkit – The malware includes rootkit capabilities in auxiliary PE modules and modules intended to evading detection. ‘rootkit capabilities in the auxiliary PE modules’ and ‘a customized user-mode shellcode loader that leaves little traces for cybersecurity forensics.’
- [T1553.002] Code Signing – The campaign uses revoked code signing certificates to sign kernel drivers, enabling them to run in kernel mode. ‘The uses of revoked code signing certificates’ and ‘signed kernel drivers.’
- [T1562.001] Impair Defenses: Disable Security Tools – A kernel-mode AV killer rootkit and mini-filter killer can disable or evade security tools; it enumerates and unregisters mini-filter drivers. ‘kill a mini-filter’ and ‘unregister the mini-filter driver’ to evade AV.
Indicators of Compromise
- [IPv4 Address] 202.8.123.98 – first-stage C&C server hosting malicious archives and coordinating payloads.
- [IPv4 Address] 194.146.84.245 – one of the first-stage servers hosting an old module for the MSI installer that loads the crypto miner.
- [File Name] svchost.txt – contains all malicious PE modules to be dropped in the second stage.
- [File Name] e1f3ac7f.moe – old MSI installer module referenced as part of the drop chain.
- [Certificate] Hangzhou Hootian Network Technology Co., Ltd. – signatory certificate linked to early Purple Fox activity.
- [Certificate] Shanghai Oceanlink Software Technology Co. Ltd. – signatory certificate linked to Purple Fox clusters.
- [Certificate] Shanghai easy kradar Information Consulting Co. Ltd. – signatory certificate overlapping with Hangzhou Hootian activity.