Exploits & Vulnerabilities
Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of the improvements:
- Use of full HTTPS infrastructure based on Cloudflare as frontend
- Fully encrypted landing page
- Disguised redirection
Once notified, Cloudflare took immediate action to place an interstitial page in front of these domains to disrupt communications. As a result, these particular parts of its infrastructure are no longer online.
The following image shows the Purple Fox EK traffic in the last thirty days before September 3:
The traffic reflects the number of accessed landing pages and not the unique domains pages.
Landing page in detail
Initially, the victim was redirected to the link https://{malicious domain}/?key=700D5E232DF5AA21. Figure 2 shows the full browser session:
The domain usually pointed to a Cloudflare front end that is accessible over HTTPS, which allowed the delivery of the exploit kit by default in HTTPS.
The content of the landing page was fully encrypted and obfuscated.
The section shown in Figure 4 contained references to external JavaScript (JS) libraries to perform the decryption. It also contains the encrypted exploit content. The referenced external libraries are popular JS libraries that are publicly available and widely used in many web sites. This particular section also redirects the user to the Google search engine, which is behavior that has not been observed before.
The decryption flow is straightforward, as seen in Figure 5.
The landing page has a Jscript.Encode section required for exploiting CVE-2019-1367, as used in this case. The said section initially decrypts the Data1 variable and then executes the content through EVAL().
Conclusion
Purple Fox is evolving into a modern exploit kit that delivers landing pages over HTTPS and reusing secure public cloud infrastructure. While the use of encrypted landing pages is not new in exploit kits and the abuse of public clouds like Cloudflare is not uncommon, the use of such pages allows exploit kits to bypass many existing protections.
Best Practices and Trend Micro solutions
Purple Fox exploits vulnerabilities with available patches, as seen in the sample we analyzed here. This highlights the significance of patching, especially for enterprises. We recommend a defense-in-depth approach to securing online infrastructures. Here are some best practices that users and organizations can adopt:
- Enforce the principle of least privilege by restricting and securing the use of tools reserved for system administrators.
- Regularly patch and update (or employ virtual patching for legacy or embedded systems or software).
- Deploy additional mechanisms that provide additional layers of security, such as behavior monitoring, which thwarts malware-related routines from being executed in the system; sandboxes, which can quarantine malicious files and further analyze suspicious behaviors; and firewalls and intrusion prevention and detection systems that can deter incursions or flag data exfiltration attempts.
- Cultivate cybersecurity awareness at home and in the workplace, especially against email-borne threats that fileless threats could use as attack vectors or entry points.
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect against malicious scripts, injection, ransomware, memory, and browser attacks related to fileless threats.
Indicators of Compromise
| SHA256 | Trend Micro Detection |
| C0969831BB6020565A706F836A1FC303DD8874CB42C7792CD931B77C3FF49B6D | Trojan.JS.CVE20191367.C |
Malicious URLs
- hxxps://action.taplowgroup.club/?key=9387A593E49317F4
- hxxps://grgatm.xyz/?key=B07A0B81A81AA904