Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.
- In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload.
- The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.
- A code extracted from the PNG image serves as a second-stage PowerShell script, also acting as a downloader. This script retrieves an MSI payload from a server, which is disguised as a JPG file.
- The MSI installer payload is the PurpleFox malware, which carries out malicious activities on the victim’s system.
Overview
On September 25th, CRIL encountered an intriguing Microsoft Word document named “Invoice-891920.docx” on VirusTotal. Subsequent investigation revealed that it employs a novel approach to deliver the malware known as “PurpleFox.”
PurpleFox, in operation since March 2018, is a formidable and malicious tool. It harnesses rootkit elements to elude detection by concealing registry keys and files on the compromised system. The core objective of PurpleFox is to disseminate additional malware onto the systems it manages to infiltrate.
During our further investigation, we came across a Twitter post by researcher @bomccss, in which they have confirmed a small number of Japanese emails containing malware attachments named as “ID-191304203986.docm.” This attachment serves as a means to propagate the PurpleFox malware with the same technique.
This technique begins with the initial stage of sending a spam email containing a Word file attachment. When the recipient opens the Word document, it initiates the download of another document file from a remote server. This file employs a VBA macro to fetch the first stage of PowerShell code. Subsequently, the PowerShell script is activated, fetching a PNG image containing concealed data through steganography.
Once the hidden content is extracted and decoded from the PNG image, it triggers the execution of a Second Stage PowerShell Script, which proceeds to download an MSI installer from a server that is disguised as a JPG file. This MSI installer file operates as a payload of the PurpleFox malware, as illustrated in the figure below.
Technical Analysis
The initial infection starts with a spam email that includes a Word attachment with filenames like the following:
- Invoice-891920.docx
- ID-231396590616.docm
- Invoice-475394.doc
The emails include an attached Word document file, which can be in formats such as .doc, .docx, or .docm, and it contains an embedded URL within the document. To access this content, users are required to open the document and click “Enable Content,” as depicted below.
Template Injection
After clicking the “Enable Content” button, the file “Invoice-891920.docx” proceeds to retrieve another document file named “update.dotm” from a URL and executes it. The URL is present in the XML file named “settings.xml.rels,” which is located in the directory “word_rels” within the extracted “Invoice-891920.docx” file.
The figure below shows the content of the “settings.xml.rels” file.
Inside the Microsoft Word document template file “update.dotm,” there is an embedded VBA macro content stored in a binary file named “vbaProject.bin,” as shown below.
When this macro content is executed successfully, it triggers the execution of a PowerShell script that runs a base64 encoded data. This encoded data is used to download a JPG file named “ace.jpg” from a remote server (shown below) and execute it.
- hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace[.]jpg
The following figure displays the macro content within the document file, which contains the PowerShell script with the “DownloadString” function after decoding.
The file named “ace.jpg” pretends to be a JPG image file, but in reality, it is a PowerShell script that contains a base64 encoded string. This encoded content functions as a downloader for the first stage of a PowerShell script, as shown in the figure below.
First Stage PowerShell Script (Steganography)
The purpose of the code present in the first stage PowerShell script is to perform some form of image processing and then execute a PowerShell script obtained from the processed image.
Upon execution, the first stage PowerShell script downloads a PNG image named “all.png” from the below URL and then processes the pixel data of that image. It manipulates the color information of each pixel and stores the results in an array. After processing the image, the script converts the processed data into a string using ASCII encoding. The converted string is then executed as a command using “invoke-expression.”
- hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all[.]png
In this scenario, manipulating pixel data in a particular way to conceal information or a command within an image represents a type of steganography.
The highlighted code in the figure depicts a nested loop structure used for the purpose of processing each individual pixel within an image. This code processes each pixel of an image by extracting and combining specific bits from the blue and green color components and then storing the result in an array. Subsequently, the array is converted into a string, with the intention of invoking it for further operations.
The figure below displays an image named “all.png,” which conceals hidden information within it, representing the next stage of a PowerShell script.
Second Stage PowerShell Script
The image below displays the PowerShell script that has been extracted from the PNG image.
Upon execution of the second-stage PowerShell script, it performs the following actions:
- Disabling real-time monitoring in Windows Defender
- Creating an exclusion for the Windows directory
- Continuously attempts to download and install an MSI package from the following URL until it identifies a specific registry key and its associated value.
- hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ[.]jpg
Within the PowerShell script, there is a C# code snippet enclosed between “@” and “@”. This snippet imports the “msi.dll” library and establishes two functions from it: MsiInstallProduct and MsiSetInternalUI. These functions are utilized to handle the installation of MSI packages and configure the internal user interface level.
Inside the script, there’s a loop that continues until it successfully fetches a registry value named “StayOnTop” with data “1” in the HKCUSoftware7-Zip registry key. This method is used to ascertain the successful execution of the payload. It repeatedly attempts to install the MSI package until it identifies this specific registry item.
The following image displays the content of the second-stage PowerShell script after it has been decoded from base64.
The file named “SsdxxIp8DqeQ.jpg” downloaded from the server is an MSI installer file disguised as a JPG file. It is dropped and executed in the location of “C:WindowsInstallerMSI7417.tmp” and has been identified as “PurpleFox” malware.
The figure below depicts the process tree of a PurpleFox deployment originating from a Microsoft Word document received via a spam email.
PurpleFox Malware
PurpleFox is a multifaceted malware downloader that specializes in propagating other malware files. It primarily infiltrates systems to distribute cryptocurrency mining software. Notably, it operates as a fileless rootkit and backdoor trojan. This malware strain was discovered in 2018 and has since played a role in various cyber campaigns, delivering ransomware, spyware, and cryptocurrency mining applications. Its primary targets are the Windows operating system, and it commandeers compromised devices to act as hosts for its operations.
After examining the MSI payload, it became apparent that it contains three packaged files that are set to be dropped upon execution, specifically “sysupdate.log”, “winupdate32.log,” and “winupdate64.log.” The figure below shows the files extracted from the MSI payload.
While execution, the MSI payload copies either “winupdate32.log” or “winupdate64.log” into the C:Windows directory, depending on whether the operating system is 32-bit or 64-bit. Despite their file extension being .log, both of these copied files are, in reality, 32-bit and 64-bit PE DLL files, respectively. These DLLs are specially packed with VMprotect to deter any attempts at debugging or analysis within virtual machine environments. Meanwhile, the third file, sysupdate.log, consistently drops in the Windows folder, irrespective of the OS version.
As part of the execution process, these DLL files undergo renaming and sideloading, enabling them to carry out the malicious activities orchestrated by PurpleFox. The figure below shows the process tree of the PurpleFox infection.
PurpleFox malware is a highly sophisticated and malicious strain known for its diverse capabilities. It spreads through exploit kits, exploiting Windows vulnerabilities, and can execute in a fileless manner, making it challenging to detect. Once a system is compromised, it becomes part of a botnet, enabling remote control for various malicious purposes, including data theft and Distributed Denial-of-Service (DDoS) attacks. Purple Fox exhibits polymorphic code, constantly changing its appearance to evade signature-based antivirus solutions. It employs anti-detection techniques, propagates within networks, establishes persistence, and, in some versions, even possesses rootkit-like capabilities.
Conclusion
Spam emails with document attachments continue to be a preferred tactic for threat actors, primarily due to their high success rate in reaching a broad range of potential targets while also bypassing initial security measures. In a current campaign, threat actors have adopted the use of spam emails that include Microsoft Word attachments as the starting point for their operations. The initial VBA macro, activated through these attachments, employs PowerShell to fetch what appears to be a harmless PNG image. However, this image actually conceals the subsequent PowerShell script in a hidden manner, employing steganography techniques to remain undetected.
This sophisticated strategy is designed to avoid detection, maintain persistence, and maximize their success in compromising systems and networks. Furthermore, the final phase involves the deployment of a PurpleFox malware payload. The administrators of the Purple Fox remain active and consistently enhance their collection of new malware while also improving the existing malware versions they possess. The utilization of these tactics highlights the complexity of contemporary cyber threats, underscoring the importance of robust cybersecurity protocols, user awareness, and pre-emptive defense strategies to protect against ever-changing attack methods.
Our Recommendations
- The initial compromise takes place through spam emails. As a result, it’s recommended to implement robust email filtering solutions to detect and thwart the distribution of malicious attachments.
- When handling email attachments, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
- To enhance protection against potential threats, configure your Office software to have macros disabled as the default setting, enabling them only for trusted documents.
- Enhancing security by enforcing policies and restrictions to prevent unauthorized PowerShell script execution.
- Keep the operating system, software, and applications up to date with the latest security patches and updates. Malware often targets known vulnerabilities.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566.001) | This malware reaches users via spam emails. |
| Execution (TA0002) | Command and Scripting Interpreter: Visual Basic (T1059.005) | Document contains embedded VBA macros, which executes code when the document is opened. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | PowerShell commands are used to download the next stage payload. |
| Persistence (TA0003) | Windows Service (T1543.003) | Uses sc.exe to modify the status of services. |
| Defense Evasion (TA0005) | Virtualization/Sandbox Evasion (T1497) | Performing Anti-VM/Anti-Debug technique for evasion. |
| Defense Evasion (TA0005) | Disable or Modify Tools (T1562.001) | The malware scans for VM and Debugger- related processes and terminates them. |
| Defense Evasion (TA0005) | Masquerading (T1036.008) | Download files with a non-matching file extension (content does not match to file extension). |
| Defense Evasion (TA0005) | Modify Registry (T1112) | Uses reg.exe to modify the Windows registry. |
| Defense Evasion (TA0005) | Template Injection (T1221) | The sample has suspicious references in Office document templates to conceal malicious code or force authentication attempts. |
| Defense Evasion (TA0005) | Services File Permissions Weakness (T1574.010) | Uses cacls to modify the permissions of files. |
| Discovery (TA0007) | Process Discovery (T1057) | Queries a list of all running processes. |
| Discovery (TA0007) | Query Registry (T1012) | The malware is examining the registry to extract system details. |
| Discovery (TA0007) | System Information Discovery (T1082) | The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. |
| Discovery (TA0007) | Security Software Discovery (T1518.001) | May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory). |
| C&C (TA0011) | Application Layer Protocol (T1071) | The malware uses TCP to interact with the C&C server. |
| C&C (TA0011) | Ingress Tool Transfer (T1105) | The malware has the ability to download files from C&C |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 70e254f2a86e0a49bb319c2af0e1a2cb bd13ecc3f3410986996b3bc0998549875aa171d3 1ddc7091d5bbe8d2105be4c2341f941f04cdeaaea05b89b6ee1456843b90fb04 | MD5 SHA1 SHA256 | Invoice-891920.docx |
| 8c498f9e6dd65c5a9704208922224661 1dc2f872c2e23e1eb0c6090909c5807553ad1e75 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2 | MD5 SHA1 SHA256 | ID-231396590616.docm |
| a7c5adccfeb31331edd0351c7b5fdde9 a0fd6c29b81c629baa9c1311f177f715d6aee36f efe078fb3808c5b725d33df59da55aff0718534e31908280899c9859a0f2d1a8 | MD5 SHA1 SHA256 | Invoice-654931.doc |
| 405ddc04a06b883b12e1e152be599533 6c642417ba41c0c883c4f431de99513827d2858b d4e1cb27ce387ee1aedd8ebd69ec2f0a13e1d81bae6079061bd13f1a0a158026 | MD5 SHA1 SHA256 | update.dotm |
| def0a155618de548cc2902221d3890db db90e04683068fd16d5fbefbba4e7dd30adba306 540ba2c354ead0e80dd37fb41ae83f4ea98b52fcf2e124463b2a6d0d73bd2e05 | MD5 SHA1 SHA256 | ace.jpg |
| eb9a4cf233789b96f940be0186a26988 002a1cee740fa212732379d1f00dbcf7c0cccbf2 24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8 | MD5 SHA1 SHA256 | SsdxxIp8DqeQ.jpg (MSI file) – PurpleFox malware |
| black-sun-a335[.]asyorfplmnv[.]workers[.]dev | Domain | C&C |
| hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/67856eed42115b6af39ecf6bb3e66f6ed8c13287/update[.]dotm | URL | URL of Template injection |
| hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace[.]jpg | URL | 1st stage PowerShell script |
| hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all[.]png | URL | PNG image contains 2nd stage PowerShell Script using steganography |
| hxxp://black-sun-a335[.]asyorfplmnv[.]workers[.]dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ[.]jpg | URL | PurpleFox payload, MSI file disguised as JPG |
References
Related
Source: https://cyble.com/blog/purplefox-resurfaces-via-spam-emails-a-look-into-its-recent-campaign/
Views: 0