PurpleFox Resurfaces Via Spam Emails:  A Look Into Its Recent Campaign – Cyble

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.
  • In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload.
  • The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.
  • A code extracted from the PNG image serves as a second-stage PowerShell script, also acting as a downloader. This script retrieves an MSI payload from a server, which is disguised as a JPG file.
  • The MSI installer payload is the PurpleFox malware, which carries out malicious activities on the victim’s system.

Overview

On September 25th, CRIL encountered an intriguing Microsoft Word document named “Invoice-891920.docx” on VirusTotal. Subsequent investigation revealed that it employs a novel approach to deliver the malware known as “PurpleFox.”

PurpleFox, in operation since March 2018, is a formidable and malicious tool. It harnesses rootkit elements to elude detection by concealing registry keys and files on the compromised system. The core objective of PurpleFox is to disseminate additional malware onto the systems it manages to infiltrate.

During our further investigation, we came across a Twitter post by researcher @bomccss, in which they have confirmed a small number of Japanese emails containing malware attachments named as “ID-191304203986.docm.” This attachment serves as a means to propagate the PurpleFox malware with the same technique.

Figure 1 Twitter post of PurpleFox campaign
Figure 1 – Twitter post of PurpleFox campaign

This technique begins with the initial stage of sending a spam email containing a Word file attachment. When the recipient opens the Word document, it initiates the download of another document file from a remote server. This file employs a VBA macro to fetch the first stage of PowerShell code. Subsequently, the PowerShell script is activated, fetching a PNG image containing concealed data through steganography.

Once the hidden content is extracted and decoded from the PNG image, it triggers the execution of a Second Stage PowerShell Script, which proceeds to download an MSI installer from a server that is disguised as a JPG file. This MSI installer file operates as a payload of the PurpleFox malware, as illustrated in the figure below.

Figure 2 PurpleFox infection chain
Figure 2 – PurpleFox infection chain

Technical Analysis

The initial infection starts with a spam email that includes a Word attachment with filenames like the following:

  • Invoice-891920.docx
  • ID-231396590616.docm
  • Invoice-475394.doc

The emails include an attached Word document file, which can be in formats such as .doc, .docx, or .docm, and it contains an embedded URL within the document. To access this content, users are required to open the document and click “Enable Content,” as depicted below.

Figure 3 Malicious Word attachment
Figure 3 – Malicious Word attachment
Figure 4 Malicious Word attachment
Figure 4 – Malicious Word attachment

Template Injection

After clicking the “Enable Content” button, the file “Invoice-891920.docx” proceeds to retrieve another document file named “update.dotm” from a URL and executes it. The URL is present in the XML file named “settings.xml.rels,” which is located in the directory “word_rels” within the extracted “Invoice-891920.docx” file.

The figure below shows the content of the “settings.xml.rels” file.

Figure 5 Embedded .dotm file download link in settings.xml.rels
Figure 5 – Embedded .dotm file download link in settings.xml.rels

Inside the Microsoft Word document template file “update.dotm,” there is an embedded VBA macro content stored in a binary file named “vbaProject.bin,” as shown below.

Figure 6 Components of dotm file
Figure 6 – Components of dotm file

When this macro content is executed successfully, it triggers the execution of a PowerShell script that runs a base64 encoded data. This encoded data is used to download a JPG file named “ace.jpg” from a remote server (shown below) and execute it.

  • hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace[.]jpg

The following figure displays the macro content within the document file, which contains the PowerShell script with the “DownloadString” function after decoding.

Figure 7 VBA Macro code
Figure 7 – VBA Macro code

The file named “ace.jpg” pretends to be a JPG image file, but in reality, it is a PowerShell script that contains a base64 encoded string. This encoded content functions as a downloader for the first stage of a PowerShell script, as shown in the figure below.

Figure 8 First stage PowerShell script
Figure 8 – First stage PowerShell script

First Stage PowerShell Script (Steganography)

The purpose of the code present in the first stage PowerShell script is to perform some form of image processing and then execute a PowerShell script obtained from the processed image.

Upon execution, the first stage PowerShell script downloads a PNG image named “all.png” from the below URL and then processes the pixel data of that image. It manipulates the color information of each pixel and stores the results in an array. After processing the image, the script converts the processed data into a string using ASCII encoding. The converted string is then executed as a command using “invoke-expression.”

  • hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all[.]png

In this scenario, manipulating pixel data in a particular way to conceal information or a command within an image represents a type of steganography.

The highlighted code in the figure depicts a nested loop structure used for the purpose of processing each individual pixel within an image. This code processes each pixel of an image by extracting and combining specific bits from the blue and green color components and then storing the result in an array. Subsequently, the array is converted into a string, with the intention of invoking it for further operations.

Figure 9 Code snippet used to extract script from PNG image
Figure 9 – Code snippet used to extract script from PNG image

The figure below displays an image named “all.png,” which conceals hidden information within it, representing the next stage of a PowerShell script.

Figure 10 PNG image with hidden content
Figure 10 – PNG image with hidden content

Second Stage PowerShell Script

The image below displays the PowerShell script that has been extracted from the PNG image.

Figure 11 Extracted PowerShell from PNG image
Figure 11 – Extracted PowerShell from PNG image

Upon execution of the second-stage PowerShell script, it performs the following actions:

  • Disabling real-time monitoring in Windows Defender
  • Creating an exclusion for the Windows directory
  • Continuously attempts to download and install an MSI package from the following URL until it identifies a specific registry key and its associated value.
    • hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ[.]jpg

Within the PowerShell script, there is a C# code snippet enclosed between “@” and “@”. This snippet imports the “msi.dll” library and establishes two functions from it: MsiInstallProduct and MsiSetInternalUI. These functions are utilized to handle the installation of MSI packages and configure the internal user interface level.

Inside the script, there’s a loop that continues until it successfully fetches a registry value named “StayOnTop” with data “1” in the HKCUSoftware7-Zip registry key. This method is used to ascertain the successful execution of the payload. It repeatedly attempts to install the MSI package until it identifies this specific registry item.

The following image displays the content of the second-stage PowerShell script after it has been decoded from base64.

Figure 12 Decoded base64 data of second stage PowerShell script
Figure 12 – Decoded base64 data of second stage PowerShell script

The file named “SsdxxIp8DqeQ.jpg” downloaded from the server is an MSI installer file disguised as a JPG file. It is dropped and executed in the location of “C:WindowsInstallerMSI7417.tmp” and has been identified as “PurpleFox” malware.

The figure below depicts the process tree of a PurpleFox deployment originating from a Microsoft Word document received via a spam email.

Figure 13 Process tree of PurpleFox deployment
Figure 13 – Process tree of PurpleFox deployment

PurpleFox Malware

PurpleFox is a multifaceted malware downloader that specializes in propagating other malware files. It primarily infiltrates systems to distribute cryptocurrency mining software. Notably, it operates as a fileless rootkit and backdoor trojan. This malware strain was discovered in 2018 and has since played a role in various cyber campaigns, delivering ransomware, spyware, and cryptocurrency mining applications. Its primary targets are the Windows operating system, and it commandeers compromised devices to act as hosts for its operations.

After examining the MSI payload, it became apparent that it contains three packaged files that are set to be dropped upon execution, specifically “sysupdate.log”, “winupdate32.log,” and “winupdate64.log.” The figure below shows the files extracted from the MSI payload.

Figure 14 Files inside the MSI installer
Figure 14 – Files inside the MSI installer

While execution, the MSI payload copies either “winupdate32.log” or “winupdate64.log” into the C:Windows directory, depending on whether the operating system is 32-bit or 64-bit. Despite their file extension being .log, both of these copied files are, in reality, 32-bit and 64-bit PE DLL files, respectively. These DLLs are specially packed with VMprotect to deter any attempts at debugging or analysis within virtual machine environments. Meanwhile, the third file, sysupdate.log, consistently drops in the Windows folder, irrespective of the OS version.

As part of the execution process, these DLL files undergo renaming and sideloading, enabling them to carry out the malicious activities orchestrated by PurpleFox. The figure below shows the process tree of the PurpleFox infection.

Figure 15 Process tree of PurpleFox malware
Figure 15 – Process tree of PurpleFox malware

PurpleFox malware is a highly sophisticated and malicious strain known for its diverse capabilities. It spreads through exploit kits, exploiting Windows vulnerabilities, and can execute in a fileless manner, making it challenging to detect. Once a system is compromised, it becomes part of a botnet, enabling remote control for various malicious purposes, including data theft and Distributed Denial-of-Service (DDoS) attacks. Purple Fox exhibits polymorphic code, constantly changing its appearance to evade signature-based antivirus solutions. It employs anti-detection techniques, propagates within networks, establishes persistence, and, in some versions, even possesses rootkit-like capabilities.

Conclusion

Spam emails with document attachments continue to be a preferred tactic for threat actors, primarily due to their high success rate in reaching a broad range of potential targets while also bypassing initial security measures. In a current campaign, threat actors have adopted the use of spam emails that include Microsoft Word attachments as the starting point for their operations. The initial VBA macro, activated through these attachments, employs PowerShell to fetch what appears to be a harmless PNG image. However, this image actually conceals the subsequent PowerShell script in a hidden manner, employing steganography techniques to remain undetected.

This sophisticated strategy is designed to avoid detection, maintain persistence, and maximize their success in compromising systems and networks. Furthermore, the final phase involves the deployment of a PurpleFox malware payload. The administrators of the Purple Fox remain active and consistently enhance their collection of new malware while also improving the existing malware versions they possess. The utilization of these tactics highlights the complexity of contemporary cyber threats, underscoring the importance of robust cybersecurity protocols, user awareness, and pre-emptive defense strategies to protect against ever-changing attack methods.

Our Recommendations

  • The initial compromise takes place through spam emails. As a result, it’s recommended to implement robust email filtering solutions to detect and thwart the distribution of malicious attachments.
  • When handling email attachments, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
  • To enhance protection against potential threats, configure your Office software to have macros disabled as the default setting, enabling them only for trusted documents.
  • Enhancing security by enforcing policies and restrictions to prevent unauthorized PowerShell script execution.
  • Keep the operating system, software, and applications up to date with the latest security patches and updates. Malware often targets known vulnerabilities.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.

MITRE ATT&CK® Techniques

Tactic  Technique Procedure
Initial Access (TA0001) Phishing (T1566.001) This malware reaches users via spam emails.
Execution  (TA0002) Command and Scripting Interpreter: Visual Basic (T1059.005) Document contains embedded VBA macros, which
executes code when the document is opened.
Execution  (TA0002) Command and Scripting
Interpreter: PowerShell
(T1059.001)
PowerShell commands are used to download the next stage payload.
Persistence (TA0003) Windows Service
(T1543.003)
Uses sc.exe to modify the status of services.
Defense Evasion (TA0005) Virtualization/Sandbox Evasion (T1497) Performing Anti-VM/Anti-Debug technique
for evasion.
Defense Evasion (TA0005) Disable or Modify Tools
(T1562.001)
The malware scans for VM and Debugger-
related processes and terminates them.
Defense Evasion (TA0005) Masquerading (T1036.008) Download files with a non-matching file extension
(content does not match to file extension).
Defense Evasion (TA0005) Modify Registry (T1112) Uses reg.exe to modify the Windows registry.
Defense Evasion (TA0005) Template Injection (T1221) The sample has suspicious references in Office
document templates to conceal malicious code or
force authentication attempts.
Defense Evasion (TA0005) Services File Permissions
Weakness (T1574.010)
Uses cacls to modify the permissions of files.
Discovery (TA0007) Process Discovery (T1057) Queries a list of all running processes.
Discovery (TA0007) Query Registry (T1012) The malware is examining the registry to
extract system details.
Discovery (TA0007) System Information
Discovery (T1082)
The malware gathers system information through PowerShell, Command Prompt
(cmd), and WMIC.
Discovery (TA0007) Security Software
Discovery (T1518.001)
May try to detect the virtual machine to hinder
analysis (VM artifact strings found in memory).
C&C
(TA0011)
Application Layer Protocol
(T1071)
The malware uses TCP to interact
with the C&C server.
C&C
(TA0011)
Ingress Tool Transfer
(T1105)
The malware has the ability to download
files from C&C

Indicators of Compromise (IOCs)

Indicators Indicator
Type
Description
70e254f2a86e0a49bb319c2af0e1a2cb
bd13ecc3f3410986996b3bc0998549875aa171d3
1ddc7091d5bbe8d2105be4c2341f941f04cdeaaea05b89b6ee1456843b90fb04
MD5
SHA1
SHA256
Invoice-891920.docx
8c498f9e6dd65c5a9704208922224661
1dc2f872c2e23e1eb0c6090909c5807553ad1e75
38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
MD5
SHA1
SHA256
ID-231396590616.docm
a7c5adccfeb31331edd0351c7b5fdde9
a0fd6c29b81c629baa9c1311f177f715d6aee36f
efe078fb3808c5b725d33df59da55aff0718534e31908280899c9859a0f2d1a8
MD5
SHA1
SHA256
Invoice-654931.doc
405ddc04a06b883b12e1e152be599533
6c642417ba41c0c883c4f431de99513827d2858b
d4e1cb27ce387ee1aedd8ebd69ec2f0a13e1d81bae6079061bd13f1a0a158026
MD5
SHA1
SHA256
update.dotm
def0a155618de548cc2902221d3890db
db90e04683068fd16d5fbefbba4e7dd30adba306
540ba2c354ead0e80dd37fb41ae83f4ea98b52fcf2e124463b2a6d0d73bd2e05
MD5
SHA1
SHA256
ace.jpg
eb9a4cf233789b96f940be0186a26988
002a1cee740fa212732379d1f00dbcf7c0cccbf2
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8
MD5
SHA1
SHA256
SsdxxIp8DqeQ.jpg (MSI file) – PurpleFox malware
black-sun-a335[.]asyorfplmnv[.]workers[.]dev Domain C&C
hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/67856eed42115b6af39ecf6bb3e66f6ed8c13287/update[.]dotm URL URL of Template injection
hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace[.]jpg URL 1st stage PowerShell
script
hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all[.]png URL PNG image contains 2nd  stage PowerShell Script using steganography
hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ[.]jpg URL PurpleFox payload, MSI file disguised as JPG

References

Source: https://cyble.com/blog/purplefox-resurfaces-via-spam-emails-a-look-into-its-recent-campaign/