Insights, news, education and announcements from PolySwarm

PurpleFox Botnet Targeting Entities in Ukraine

Written by The Hivemind | Feb 16, 2024 4:44:26 PM

Executive Summary

PurpleFox botnet was recently observed targeting unspecified entities in Ukraine. In the recent campaign, the threat actors use MSI installers to deploy PurpleFox. 

Key Takeaways

  • PurpleFox, also known as DirtyMoe, Perkiler, and NuggetPhantom, is a botnet that was recently observed targeting entities in Ukraine.
  • PurpleFox is a fileless rootkit and backdoor trojan and can be used to download second stage payloads.
  • The Windows botnet has been active since at least late 2017 and surpassed 100,000 infected systems in 2021. 
  • In the recent campaign, the threat actors used MSI installers to deploy PurpleFox. 

What is PurpleFox?

PurpleFox, also known as DirtyMoe, Perkiler, and NuggetPhantom, is a botnet that was recently observed targeting unspecified entities in Ukraine. CERT-UA reported on this activity and Security Affairs provided an English language synopsis of the report. PurpleFox refers to the modular mawlare that includes a rootkit and backdoor, the exploit kit that delivers the malware, and the botnet made up of machines compromised by PurpleFox.

The PurpleFox Windows botnet has been active since at least late 2017 and surpassed 100,000 infected systems in 2021. While the botnet was primarily used for mining cryptocurrency in the past, it has also been leveraged for DDoS attacks.

PurpleFox is a fileless rootkit and backdoor trojan and can be used to download second stage payloads. The rootkit is a key component of PurpleFox. It is typically delivered using malspam or by using malicious sites to exploit an Internet Explorer vulnerability.

In the past, the rootkit has been observed leveraging CVE-2020-0674, a scripting engine memory corruption vulnerability. In late 2020, the threat actors behind PurpleFox added a worm module to the malware. PurpleFox was previously delivered via RIG EK, but in recent years has used its own exploit kit.

In the recent campaign, the threat actors used MSI installers to deploy PurpleFox. In late January 2024, CERT-UA observed 486 IP addresses associated with the botnet’s intermediary control servers. About 20 new compromised systems have been added daily since then.

While PurpleFox has not been attributed to a particular threat actor or group, Proof Point researchers previously noted that the activity appears to be of Chinese origin. 

IOCs

PolySwarm has multiple samples of PurpleFox.

 

43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1

3eea47b22bc68089440a40b3f899665e3584c845d8c302872e1d93b62fa59fab

6dc323456042048bdd0260c87e0deea082c855c53b6f948dbb5be27a3d721ded

c4c6f2c4452a540b2c69dc6164887d6014f6ab02d203bb56753c89863e840e46

aaba7db353eb9400e3471eaaa1cf0105f6d1fab0ce63f1a2665c8ba0e8963a05

f957af223174a135b23c48e40a4de50494737f3d6e10e193510446e27ebb7595

b3b5fff57040c801a4392da2af83f4bf6200c575aa4a64ab9a135b58aa516080

eb29edd6211836e6d1877a1658e648beb749091ce7d459dbd82dc57c84bc52b1

937e0068356e42654c9ab76cc34cf74dfa4c17b29e9439ebaa15d587757b14b0

 

You can use the following CLI command to search for all PurpleFox samples in our portal:

$ polyswarm link list -f PurpleFox

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.