C2 Communication Is Enabled via WebSockets in a Fresh PurpleFox Botnet Version

PurpleFox botnet, the well-known Dirty Moe, goes on and develops more vulnerability exploits and payloads. The fresh news on this botnet shows how this time it establishes C2 communication via WebSockets.

PurpleFox Botnet: New Version Out There

Image Source

TrendMicro researchers tracked in their report the payload PurpleFox botnet seem to use in its freshest campaign. This payload is characterized by a long script with 3 components that allow for privilege escalation.

These are directed towards Windows systems (from 7 to 10), but they stop to those 64-bit based.

The following vulnerabilities are the ones exploited by the PurpleFox botnet, as the researchers stated:

CVE-2020-1054, CVE-2019-0808

These are associated with Windows 7/Windows Server 2008.

CVE-2019-1458 

This is associated with Windows 8/Windows Server 2012.

CVE-2021-1732

This is associated with Windows 10/Windows Server 2019.

The host system is detected by the backdoor under discussion, then the correct exploit is picked out and after this, it will be loaded by the means of the PowerSploit module.

Using an admin-level process, an MSI package is triggered. This action does not need user interaction and what it does is to verify if there are old versions of PurpleFox and use new ones to replace them.

A

Read More: https://heimdalsecurity.com/blog/purplefox-botnet-new-version/