Blog

A l'intérieur du SOC

Exposing a Demonic Threat: Darktrace’s Fight Against Malware Targeting Brazilian Organizations

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Oct 2023
13
Oct 2023
This blog details how Darktrace DETECT identified a banking trojan known to target organizations in Brazil before it was able to steal any sensitive customer data. Following the initial detection, Darktrace’s global SOC were able to investigate the incident and inform the customer for swift mitigation.

Nationally Targeted Cyber Attacks

As the digital world becomes more and more interconnected, the threat of cyber-attacks transcends borders and presents a significant concern to security teams worldwide. Yet despite this, some malicious actors have shown a tendency to focus their attacks on specific countries. By employing highly tailored tactics, techniques, and procedures (TTPs) to target users and organizations from one nation, rather than launching more widespread campaigns, threat actors are able to maximize the efficiency and efficacy of their attacks.

What is Guildma and how does it work?

One example can be seen in the remote access trojan (RAT) and information stealer, Guildma. Guildma, also known by the demonic moniker, Astaroth, first appeared in the wild in 2017 and is a Latin America-based banking trojan known to primarily target organizations in Brazil, although has more recently been observed in North America and Europe too [1].

By concentrating their efforts on Brazil, Guildma is able to launch attacks with a high degree of specificity, focussing their language on Brazilian norms, referencing Brazilian institutions, and tailoring their social engineering accordingly. Moreover, considering that Brazilian customers likely represent a relatively small portion of security vendors’ clientele, there may be a limited pool of available indicators of compromise (IoCs). This limitation could significantly impact the efficacy of traditional security measures that rely on signature-based detection methods in identifying emerging threats.

Darktrace vs. Guildma

In June 2023, Darktrace observed a Guildma compromise on the network of a Brazilian customer in the manufacturing sector. The anomaly-based detection capabilities of Darktrace DETECT™ allowed it to identify suspicious activity surrounding the compromise, agnostic of any IoCs or specific signatures of a threat actor. Following the successful detection of the malware, the Darktrace Security Operations Center (SOC) carried out a thorough investigation into the compromise and brought it to the attention of the customer’s security team, allowing them to quickly react and prevent any further escalation.

This early detection by Darktrace effectively shut down Guildma operations on the network before any sensitive data could be gathered and stolen by malicious actors.

Attack Overview

In the case of the Guildma RAT detected by Darktrace, the affected system was a desktop device, ostensibly used by one employee. The desktop was first observed on the customer’s network in April 2023; however, it is possible that the initial compromise took place before Darktrace had visibility over the network. Guildma compromises typically start with phishing campaigns, indicating that the initial intrusion in this case likely occurred beyond the scope of Darktrace’s monitoring [2].

Early indicators

On June 23, 2023, Darktrace DETECT observed the first instance of unusual activity being performed by the affected desktop device, namely regular HTTP POST requests to a suspicious domain, indicative of command-and-control (C2) beaconing activity. The domain used an unusual Top-Level Domain (TLD), with a plausibly meaningful (in Portuguese) second-level domain and a seemingly random 11-character third-level domain, “dn00x1o0f0h.puxaofolesanfoneiro[.]quest”.

Throughout the course of this attack, Darktrace observed additional connections like this, representing something of a signature of the attack. The suspicious domains were typically registered within six months of observation, featured an uncommon TLD, and included a seemingly randomized third-level domain of 6-11 characters, followed by a plausibly legitimate second-level domain with a minimum of 15 characters. The connections to these unusual endpoints all followed a similar two-hour beaconing period, suggesting that Guildma may rotate its C2 infrastructure, using the Multi-Stage Channels TTP (MITRE ID T1104) to evade restrictions by firewalls or other signature-based security tools that rely on static lists of IoCs and “known bads”.

Figure 1: Model Breach Event Log for the “Compromise / Agent Beacon (Long Period)”. The connections at two-hour intervals, including at unreasonably late hours, is consistent with beaconing for C2.

Living-off-the-land with BITS abuse

A week later, on June 30, 2023, the affected device was observed making an unusual Microsoft BITS connection. BitsAdmin is a deprecated administrative tool available on most Windows devices and can be leveraged by attackers to transfer malicious obfuscated payloads into and around an organization’s network. The domain observed during this connection, "cwiufv.pratkabelhaemelentmarta[.]shop”, follows the previously outlined domain naming convention. Multiple open-source intelligence (OSINT) sources indicated that the endpoint had links to malware and, when visited, redirected users to the Brazilian versions of WhatsApp and Zoom. This is likely a tactic employed by threat actors to ensure users are unaware of suspicious domains, and subsequent malware downloads, by redirected them to a trusted source.

Figure 2: A screenshot of the Model Breach log summary of the “Unusual BITS Activity” model breach. The breach log contains key details such as the ASN, hostname, and user agent used in the breaching connection.

Obfuscated Tooling Downloads

Within one minute of the suspicious BITS activity, Darktrace detected the device downloading a suspicious file from the aforementioned endpoint, (cwiufv.pratkabelhaemelentmarta[.]shop). The file in question appeared to be a ZIP file with the 17-digit numeric name query, namely “?37627343830628786”, with the filename “zodzXLWwaV.zip”.

However, Darktrace DETECT recognized that the file extension did not match its true file type and identified that it was, in fact, an executable (.exe) file masquerading as a ZIP file. By masquerading files downloads, threat actors are able to make their malicious files seem legitimate and benign to security teams and traditional security tools, thereby evading detection. In this case, the suspicious file in question was indeed identified as malicious by multiple OSINT sources.

Following the initial download of this masqueraded file, Darktrace also detected subsequent downloads of additional executable files from the same endpoint.  It is possible that these downloads represented Guildma actors attempting to download additional tooling, including the information-stealer widely known as Astaroth, in order to begin its data collection and exfiltration operations.

Figure 3: A screenshot of a graph produced by the Threat Visualizer of the affected device's external connections. The visual aid marks breaches with red and orange dots, creating a more intuitive explanation of observed behavior.

Darktrace SOC

The successful detection of the masqueraded file transfer triggered an Enhanced Monitoring model breach, a high-fidelity model designed to detect activity that is more likely indicative of an ongoing compromise.  

This breach was immediately escalated to the Darktrace SOC for analysis by Darktrace’s team of expert analysts who were able to complete a thorough investigation and notify the customer’s security team of the compromise in just over half an hour. The investigation carried out by Darktrace’s analysts confirmed that the activity was, indeed, malicious, and provided the customer’s security team with details around the extent of the compromise, the specific IoCs, and risks this compromise posed to their digital environment. This information empowered the customer’s security team to promptly address the issue, having a significant portion of the investigative burden reduced and resolved by the round-the-clock Darktrace analyst team.

In addition to this, Cyber AI Analyst™ launched an investigation into the ongoing compromise and was able to connect the anomalous HTTP connections to the subsequent suspicious file downloads, viewing them as one incident rather than two isolated events. AI Analyst completed its investigation in just three minutes, upon which it provided a detailed summary of events of the activity, further aiding the customer’s remediation process.

Figure 4: CyberAI Analyst summary of the suspicious activity. A prose summary of the breach activity and the meaning of the technical details is included to maintain an easily digestible stream of information.

Conclusion

While the combination of TTPs observed in this Guildma RAT compromise is not uncommon globally, the specificity to targeting organizations in Brazil allows it to be incredibly effective. By focussing on just one country, malicious actors are able to launch highly specialized attacks, adapting the language used and tailoring the social engineering effectively to achieve maximum success. Moreover, as Brazil likely represents a smaller segment of security vendors’ customers, therefore leading to a limited pool of IoCs, attackers are often able to evade traditional signature-based detections.

Darktrace DETECT’s anomaly-based approach to threat detection allows for effective detection, mitigation, and response to emerging threats, regardless of the specifics of the attack and without relying on threat intelligence or previous IoCs. Ultimately in this case, Darktrace was able to identify the suspicious activity surrounding the Guildma compromise and swiftly bring it to the attention of the customer’s security team, before any data gathering, or exfiltration activity took place.

Darktrace’s threat detection capabilities coupled with its expert analyst team and round-the-clock SOC response is a highly effective addition to an organization’s defense-in-depth, whether in Brazil or anywhere else around the world.

Credit to Roberto Romeu, Senior SOC Analyst, Taylor Breland, Analyst Team Lead, San Francisco

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth

https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/  

Appendices

Darktrace DETECT Model Breaches

  • Compromise / Agent Beacon (Long Period)
  • Device / Unusual BITS Activity
  • Anomalous File / Anomalous Octet Stream (No User Agent)
  • Anomalous File / Masqueraded File Transfer (Enhanced Monitoring Model)
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Multiple EXE from Rare External Locations

List of IoCs

IoC Type - Description + Confidence

5q710e1srxk.broilhasoruikaliventiladorrta[.]shop - Domain - Likely C2 server

m2pkdlse8md.roilhasohlcortinartai[.]hair - Domain - Likely C2 server

cwiufv.pratkabelhaemelentmarta[.]shop - Domain - C2 server

482w5pct234.jaroilcasacorkalilc[.]ru[.]com - Domain - C2 server

dn00x1o0f0h.puxaofolesanfoneiro[.]quest - Domain - Likely C2 server

10v7mybga55.futurefrontier[.]cyou - Domain - Likely C2 server

f788gbgdclp.growthgenerator[.]cyou - Domain - Likely C2 server

6nieek.satqabelhaeiloumelsmarta[.]shop - Domain - Likely C2 server

zodzXLWwaV.zip (SHA1 Hash: 2a4062e10a5de813f5688221dbeb3f3ff33eb417 ) - File hash - Malware

IZJQCAOXQb.zip (SHA1 Hash: eaec1754a69c50eac99e774b07ef156a1ca6de06 ) - File hash - Likely malware

MITRE ATT&CK Mapping

ATT&CK Technique - Technique ID

Multi-Stage Channels - T1104

BITS Jobs - T1197

Application Layer Protocol: Web Protocols - T1071.001

Acquire Infrastructure: Web Services - T1583.006

Obtain Capabilities: Malware - T1588.001

Masquerading - T1036

NEWSLETTER

Vous aimez ça et en voulez plus ?

Stay up to date on the latest industry news and insights.
Vous pouvez vous désabonner à tout moment. Politique de confidentialité
DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Roberto Romeu
Senior SOC Analyst
share this article
CAS D'UTILISATION
Aucun élément trouvé.
Couverture de base
Aucun élément trouvé.

More in this series

Aucun élément trouvé.

Blog

Leadership éclairé

The Implications of NIS2 on Cyber Security and AI

Default blog imageDefault blog image
05
Dec 2023

The NIS2 Directive requires member states to adopt laws that will improve the cyber resilience of organizations within the EU. It impacts organizations that are “operators of essential services”. Under NIS 1, EU member states could choose what this meant. In an effort to ensure more consistent application, NIS2 has set out its own definition. It eliminates the distinction between operators of essential services and digital service providers from NIS1, instead defining a new list of sectors:

  • Energy (electricity, district heating and cooling, gas, oil, hydrogen)
  • Transport (air, rail, water, road)
  • Banking (credit institutions)
  • Financial market infrastructures
  • Health (healthcare providers and pharma companies)
  • Drinking water (suppliers and distributors)
  • Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
  • ICT service providers (B2B): MSSPs and managed service providers
  • Public administration (central and regional government institutions, as defined per member state)
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing of medical devices
  • Computers and electronics
  • Machinery and equipment
  • Motor vehicles, trailers and semi-trailers and other transport equipment
  • Digital providers (online market places, online search engines, and social networking service platforms) and research organizations.

With these updates, it becomes harder to try and find industry segments not included within the scope. NIS2 represents legally binding cyber security requirements for a significant region and economy. Standout features that have garnered the most attention include the tight timelines associated with notification requirements. Under NIS 2, in-scope entities must submit an initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) within 24 hours from when the entity became aware of a significant incident. This is a new development from the first iteration of the Directive, which used more vague language of the need to notify authorities “without undue delay”.

Another aspect gaining attention is oversight and regulation – regulators are going to be empowered with significant investigation and supervision powers including on-site inspections. We cover more on this in our white paper.

The stakes are now higher, with the prospect of fines that are capped at €10 million or 2% of an offending organization’s annual worldwide turnover – whichever is greater. Added to that, the NIS2 Directive includes an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations – and members can be held personally liable.  

The risk management measures introduced in the Directive are not altogether surprising – they reflect common best practices. Many organizations (especially those that are newly in scope for NIS2) may have to expand their cyber security capabilities, but there’s nothing controversial or alarming in the required measures.  For organizations in this situation, there are various tools, best practices, and frameworks they can leverage.  Darktrace in particular provides capabilities in the areas of visibility, incident handling, and reporting that can help.

NIS2 and Cyber AI

The use of AI is not an outright requirement within NIS2 – which may be down to lack of knowledge and expertise in the area, and/or the immaturity of the sector. The clue to this might be in the timing: the provisional agreement on the NIS2 text was reached in May 2022 – six months before ChatGPT and other open-source Generative AI tools propelled broader AI technology into the forefront of public consciousness. If the language were drafted today, it's not far-fetched to imagine AI being mentioned much more prominently and perhaps even becoming a requirement.

NIS2 does, however, very clearly recommend that “member states should encourage the use of any innovative technology, including artificial intelligence”[1].  Another section speaks directly to essential and important entities, saying that they should “evaluate their own cyber security capabilities, and where appropriate, pursue the integration of cyber security enhancing technologies, such as artificial intelligence or machine learning systems…”[2]

One of the recitals states that “member states should adopt policies on the promotion of active cyber protection”.  Where active cyber protection is defined as “the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner.”[3]  

From a Darktrace perspective, our self-learning Cyber AI technology is precisely what enables our technology to deliver active cyber protection – protecting organizations and uplifting security teams at every stage of an incident lifecycle – from proactively hardening defenses before an attack is launched, to real-time threat detection and response, through to recovering quickly back to a state of good health.  

The visibility provided by Darktrace is vital to understanding the effectiveness of policies and ensuring policy compliance. NIS2 also covers incident handling and business continuity, which Darktrace HEAL addresses through AI-enabled incident response, readiness reports, simulations, and secure collaborations.

Reporting is integral to NIS2 and organizations can leverage Darktrace’s incident reporting features to present the necessary technical details of an incident and provide a jump start to compiling a full report with business context and impact.  

What’s Next for NIS2

We don’t yet know the details for how EU member states will transpose NIS2 into national law – they have until 17th October 2024 to work this out. The Commission also commits to reviewing the functioning of the Directive every three years. Given how much our overall understanding and appreciation for not only the dangers of AI but also its power (perhaps even necessity in the realm of cyber security) is changing, we may see many member states will leverage the recitals’ references to AI in order to make a strong push if not a requirement that essential and important organizations within their jurisdiction leverage AI.

Organizations are starting to prepare now to meet the forthcoming legislation related to NIS2. To see how Darktrace can help, talk to your representative or contact us.


[1] (51) on page 11
[2]
(89) on page 17
[3]
(57) on page 12

Continue reading
About the author
John Allen
VP, Cyber Risk & Compliance

Blog

A l'intérieur du SOC

PurpleFox in a Henhouse: How Darktrace Hunted Down a Persistent and Dynamic Rootkit

Default blog imageDefault blog image
27
Nov 2023

Versatile Malware: PurpleFox

As organizations and security teams across the world move to bolster their digital defenses against cyber threats, threats actors, in turn, are forced to adopt more sophisticated tactics, techniques and procedures (TTPs) to circumvent them. Rather than being static and predictable, malware strains are becoming increasingly versatile and therefore elusive to traditional security tools.

One such example is PurpleFox. First observed in 2018, PurpleFox is a combined fileless rootkit and backdoor trojan known to target Windows machines. PurpleFox is known for consistently adapting its functionalities over time, utilizing different infection vectors including known vulnerabilities (CVEs), fake Telegram installers, and phishing. It is also leveraged by other campaigns to deliver ransomware tools, spyware, and cryptocurrency mining malware. It is also widely known for using Microsoft Software Installer (MSI) files masquerading as other file types.

The Evolution of PurpleFox

The Original Strain

First reported in March 2018, PurpleFox was identified to be a trojan that drops itself onto Windows machines using an MSI installation package that alters registry values to replace a legitimate Windows system file [1]. The initial stage of infection relied on the third-party toolkit RIG Exploit Kit (EK). RIG EK is hosted on compromised or malicious websites and is dropped onto the unsuspecting system when they visit browse that site. The built-in Windows installer (MSIEXEC) is leveraged to run the installation package retrieved from the website. This, in turn, drops two files into the Windows directory – namely a malicious dynamic-link library (DLL) that acts as a loader, and the payload of the malware. After infection, PurpleFox is often used to retrieve and deploy other types of malware.  

Subsequent Variants

Since its initial discovery, PurpleFox has also been observed leveraging PowerShell to enable fileless infection and additional privilege escalation vulnerabilities to increase the likelihood of successful infection [2]. The PowerShell script had also been reported to be masquerading as a .jpg image file. PowerSploit modules are utilized to gain elevated privileges if the current user lacks administrator privileges. Once obtained, the script proceeds to retrieve and execute a malicious MSI package, also masquerading as an image file. As of 2020, PurpleFox no longer relied on the RIG EK for its delivery phase, instead spreading via the exploitation of the SMB protocol [3]. The malware would leverage the compromised systems as hosts for the PurpleFox payloads to facilitate its spread to other systems. This mode of infection can occur without any user action, akin to a worm.

The current iteration of PurpleFox reportedly uses brute-forcing of vulnerable services, such as SMB, to facilitate its spread over the network and escalate privileges. By scanning internet-facing Windows computers, PurpleFox exploits weak passwords for Windows user accounts through SMB, including administrative credentials to facilitate further privilege escalation.

Darktrace detection of PurpleFox

In July 2023, Darktrace observed an example of a PurpleFox infection on the network of a customer in the healthcare sector. This observation was a slightly different method of downloading the PurpleFox payload. An affected device was observed initiating a series of service control requests using DCE-RPC, instructing the device to make connections to a host of servers to download a malicious .PNG file, later confirmed to be the PurpleFox rootkit. The device was then observed carrying out worm-like activity to other external internet-facing servers, as well as scanning related subnets.

Darktrace DETECT™ was able to successfully identify and track this compromise across the cyber kill chain and ensure the customer was able to take swift remedial action to prevent the attack from escalating further.

While the customer in question did have Darktrace RESPOND™, it was configured in human confirmation mode, meaning any mitigative actions had to be manually applied by the customer’s security team. If RESPOND had been enabled in autonomous response mode at the time of the attack, it would have been able to take swift action against the compromise to contain it at the earliest instance.

Attack Overview

Figure 1: Timeline of PurpleFox malware kill chain.

Initial Scanning over SMB

On July 14, 2023, Darktrace detected the affected device scanning other internal devices on the customer’s network via port 445. The numerous connections were consistent with the aforementioned worm-like activity that has been reported from PurpleFox behavior as it appears to be targeting SMB services looking for open or vulnerable channels to exploit.

This initial scanning activity was detected by Darktrace DETECT, specifically through the model breach ‘Device / Suspicious SMB Scanning Activity’. Darktrace’s Cyber AI Analyst™ then launched an autonomous investigation into these internal connections and tied them into one larger-scale network reconnaissance incident, rather than a series of isolated connections.

Figure 2: Cyber AI Analyst technical details summarizing the initial scanning activity seen with the internal network scan over port 445.

As Darktrace RESPOND was configured in human confirmation mode, it was unable to autonomously block these internal connections. However, it did suggest blocking connections on port 445, which could have been manually applied by the customer’s security team.

Figure 3: The affected device’s Model Breach Event Log showing the initial scanning activity observed by Darktrace DETECT and the corresponding suggested RESPOND action.

Privilege Escalation

The device successfully logged in via NTLM with the credential, ‘administrator’. Darktrace recognized that the endpoint was external to the customer’s environment, indicating that the affected device was now being used to propagate the malware to other networks. Considering the lack of observed brute-force activity up to this point, the credentials for ‘administrator’ had likely been compromised prior to Darktrace’s deployment on the network, or outside of Darktrace’s purview via a phishing attack.

Exploitation

Darktrace then detected a series of service control requests over DCE-RPC using the credential ‘admin’ to make SVCCTL Create Service W Requests. A script was then observed where the controlled device is instructed to launch mshta.exe, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. This enables the execution of arbitrary script code, VBScript in this case.

Figure 4: PurpleFox remote service control activity captured by a Darktrace DETECT model breach.
Figure 5: The infected device’s Model Breach Event Log showing the anomalous service control activity being picked up by DETECT.

There are a few MSIEXEC flags to note:

  • /i : installs or configures a product
  • /Q : sets the user interface level. In this case, it is set to ‘No UI’, which is used for “quiet” execution, so no user interaction is required

Evidently, this was an attempt to evade detection by endpoint users as it is surreptitiously installed onto the system. This corresponds to the download of the rootkit that has previously been associated with PurpleFox. At this stage, the infected device continues to be leveraged as an attack device and scans SMB services over external endpoints. The device also appeared to attempt brute-forcing over NTLM using the same ‘administrator’ credential to these endpoints. This activity was identified by Darktrace DETECT which, if enabled in autonomous response mode would have instantly blocked similar outbound connections, thus preventing the spread of PurpleFox.

Figure 6: The infected device’s Model Breach Event Log showing the outbound activity corresponding to PurpleFox’s wormlike spread. This was caught by DETECT and the corresponding suggested RESPOND action.

Installation

On August 9, Darktrace observed the device making initial attempts to download a malicious .PNG file. This was a notable change in tactics from previously reported PurpleFox campaigns which had been observed utilizing .MOE files for their payloads [3]. The .MOE payloads are binary files that are more easily detected and blocked by traditional signatured-based security measures as they are not associated with known software. The ubiquity of .PNG files, especially on the web, make identifying and blacklisting the files significantly more difficult.

The first connection was made with the URI ‘/test.png’.  It was noted that the HTTP method here was HEAD, a method similar to GET requests except the server must not return a message-body in the response.

The metainformation contained in the HTTP headers in response to a HEAD request should be identical to the information sent in response to a GET request. This method is often used to test hypertext links for validity and recent modification. This is likely a way of checking if the server hosting the payload is still active. Avoiding connections that could possibly be detected by antivirus solutions can help keep this activity under-the-radar.

Figure 7: Packet Capture from an affected customer device showing the initial HTTP requests to the payload server.
Figure 8: Packet Capture showing the HTTP requests to download the payloads.

The server responds with a status code of 200 before the download begins. The HEAD request could be part of the attacker’s verification that the server is still running, and that the payload is available for download. The ‘/test.png’ HEAD request was sent twice, likely for double confirmation to begin the file transfer.

Figure 9: PCAP from the affected customer device showing the Windows Installer user-agent associated with the .PNG file download.

Subsequent analysis using a Packet Capture (PCAP) tool revealed that this connection used the Windows Installer user agent that has previously been associated with PurpleFox. The device then began to download a payload that was masquerading as a Microsoft Word document. The device was thus able to download the payload twice, from two separate endpoints.

By masquerading as a Microsoft Word file, the threat actor was likely attempting to evade the detection of the endpoint user and traditional security tools by passing off as an innocuous text document. Likewise, using a Windows Installer user agent would enable threat actors to bypass antivirus measures and disguise the malicious installation as legitimate download activity.  

Darktrace DETECT identified that these were masqueraded file downloads by correctly identifying the mismatch between the file extension and the true file type. Subsequently, AI Analyst was able to correctly identify the file type and deduced that this download was indicative of the device having been compromised.

In this case, the device attempted to download the payload from several different endpoints, many of which had low antivirus detection rates or open-source intelligence (OSINT) flags, highlighting the need to move beyond traditional signature-base detections.

Figure 10: Cyber AI Analyst technical details summarizing the downloads of the PurpleFox payload.
Figure 11 (a): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.
Figure 11 (b): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.

If Darktrace RESPOND was enabled in autonomous response mode at the time of the attack it would have acted by blocking connections to these suspicious endpoints, thus preventing the download of malicious files. However, as RESPOND was in human confirmation mode, RESPOND actions required manual application by the customer’s security team which unfortunately did not happen, as such the device was able to download the payloads.

Conclusion

The PurpleFox malware is a particularly dynamic strain known to continually evolve over time, utilizing a blend of old and new approaches to achieve its goals which is likely to muddy expectations on its behavior. By frequently employing new methods of attack, malicious actors are able to bypass traditional security tools that rely on signature-based detections and static lists of indicators of compromise (IoCs), necessitating a more sophisticated approach to threat detection.  

Darktrace DETECT’s Self-Learning AI enables it to confront adaptable and elusive threats like PurpleFox. By learning and understanding customer networks, it is able to discern normal network behavior and patterns of life, distinguishing expected activity from potential deviations. This anomaly-based approach to threat detection allows Darktrace to detect cyber threats as soon as they emerge.  

By combining DETECT with the autonomous response capabilities of RESPOND, Darktrace customers are able to effectively safeguard their digital environments and ensure that emerging threats can be identified and shut down at the earliest stage of the kill chain, regardless of the tactics employed by would-be attackers.

Credit to Piramol Krishnan, Cyber Analyst, Qing Hong Kwa, Senior Cyber Analyst & Deputy Team Lead, Singapore

Appendices

Darktrace Model Detections

  • Device / Increased External Connectivity
  • Device / Large Number of Connections to New Endpoints
  • Device / SMB Session Brute Force (Admin)
  • Compliance / External Windows Communications
  • Anomalous Connection / New or Uncommon Service Control
  • Compromise / Unusual SVCCTL Activity
  • Compromise / Rare Domain Pointing to Internal IP
  • Anomalous File / Masqueraded File Transfer

RESPOND Models

  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block

List of IoCs

IoC - Type - Description

/C558B828.Png - URI - URI for Purple Fox Rootkit [4]

5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f - File Hash - SHA1 hash of C558B828.Png file (Malware payload)

190.4.210[.]242 - IP - Purple Fox C2 Servers

218.4.170[.]236 - IP - IP for download of .PNG file (Malware payload)

180.169.1[.]220 - IP - IP for download of .PNG file (Malware payload)

103.94.108[.]114:10837 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

221.199.171[.]174:16543 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

61.222.155[.]49:14098 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

178.128.103[.]246:17880 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

222.134.99[.]132:12539 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

164.90.152[.]252:18075 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

198.199.80[.]121:11490 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

MITRE ATT&CK Mapping

Tactic - Technique

Reconnaissance - Active Scanning T1595, Active Scanning: Scanning IP Blocks T1595.001, Active Scanning: Vulnerability Scanning T1595.002

Resource Development - Obtain Capabilities: Malware T1588.001

Initial Access, Defense Evasion, Persistence, Privilege Escalation - Valid Accounts: Default Accounts T1078.001

Initial Access - Drive-by Compromise T1189

Defense Evasion - Masquerading T1036

Credential Access - Brute Force T1110

Discovery - Network Service Discovery T1046

Command and Control - Proxy: External Proxy T1090.002

References

  1. https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
  2. https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
  3. https://www.akamai.com/blog/security/purple-fox-rootkit-now-propagates-as-a-worm
  4. https://www.foregenix.com/blog/an-overview-on-purple-fox
  5. https://www.trendmicro.com/en_sg/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
Continue reading
About the author
Piramol Krishnan
Cyber Security Analyst

Bonne nouvelle pour votre entreprise.
Mauvaise nouvelle pour les méchants.

Commencez votre essai gratuit

Commencez votre essai gratuit

Livraison flexible
Cloud-based deployment.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Oups ! Un problème est survenu lors de la soumission du formulaire.

Obtenez une démo

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.