The Purple Fox rootkit has been a malicious and powerful weapon active since March 2018 and covered as an exploit kit. This piece of malware acts as a wormable binary. It also evades defenses by impersonating legitimate software and can be stealthy for a long time due to its rootkit capabilities.
Purple Fox malware uses social engineering techniques, such as phishing and spearphishing, to target its victims and enlarge its scope using the newly implemented wormable capability. Although not many changes were detected from the known variants of this malware, this time, it is also impersonating and dropping legitimate software as a way of evading its detection. This practice is not new, and popular banking trojans like Javali and URSA have used this technique to circumvent the security perimeter.
The typical distribution vehicles of the 1st stage are phishing campaigns, spam messages on forums, social media posts, comments (Youtube and Facebook), and untrustworthy software download websites. Some of the observed campaigns involved the WhatsApp and Telegram brands. The high-level diagram of Purple Fox new waves is depicted below.
Figure 1: High-level diagram of the Purple Fox rootkit – January 2022 (source).
Digging into the details
As illustrated above, Purple Fox