PurpleFox Adds New Backdoor That Uses WebSockets

Trend Micro -

PurpleFox Adds New Backdoor That Uses WebSockets

Cyber Threats

In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.

By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy October 19, 2021 Read time:  ( words)

In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.

We also found a new backdoor written in .NET implanted during the intrusion, which we believe is highly associated with PurpleFox. This backdoor, which we call FoxSocket, leverages WebSockets to communicate with its command-and-control (C&C) servers, resulting in a more robust and secure means of communication compared to regular HTTP traffic.

We believe that this particular threat is currently being aimed at users in the Middle East. We first encountered this

Read More: https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html