Checking and Remediating Stealthy Malware, PurpleFox

PurpleFox was first discovered in 2018. The attacker hid the malware with a self-developed driver back then, but since 2019, they have been using the customized open-source program ‘Hidden.’ It was also found that the attacker tested the malware multiple times to add various features starting from the middle of 2020.

PurpleFox is ultimately a CoinMiner, but it can perform the role of a downloader that installs additional malware as well as spread it to other connected PCs. As for its distribution methods discovered so far, it may exploit browser vulnerabilities, disguise itself as certain programs, or send phishing emails. In January 2022, it was found the malware was distributed by disguising itself as the installer of ‘Telegram.’

Since malware using rootkit can hide certain files, processes, or registry keys, it is difficult for PC users to figure out whether their systems are infected or not. As such, the ASEC analysis team will introduce a simple method to check whether your system is infected with the PurpleFox rootkit. If infected, follow the link below to remediate the malware using the PurpleFox-specific anti-malware program.

  • Checking Infection

1) Run ‘cmd.exe’ as administrator.

2) Check if there is a policy named ‘qianye’ among IPSEC policies.
Command > netsh ipsec static show policy all

3) Check if there is ‘Filter1’ among filter list names and the port number includes 135, 139, and 445.
Command > netsh ipsec static show all

If the PC meets all of the conditions mentioned above, it is highly likely that your PC is already infected with PurpleFox. Hence it is recommended to install the anti-malware from the link below to scan and remediate if necessary.

Download PurpleFox-specific anti-malware

  • PurpleFox-specific Anti-malware Remediation Process

1) Run the anti-malware and wait. It will automatically check the infection status and display the message shown below. Because of the reboot process, documents or important tasks may be closed. It is recommended for the users to close applications before running the PurpleFox-specific anti-malware.

2) After the reboot, the anti-malware will automatically run the scan as the following. The path that will be scanned is ‘%SystemRoot%\system32’. The anti-malware will detect the core file of PurpleFox named ‘MS(volume serial number)App.dll’ and delete it.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating

Inline Feedbacks
View all comments