PurpleFox Adds New Backdoor That Uses WebSockets

In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.

We also found a new backdoor written in .NET implanted during the intrusion, which we believe is highly associated with PurpleFox. This backdoor, which we call FoxSocket, leverages WebSockets to communicate with its command-and-control (C&C) servers, resulting in a more robust and secure means of communication compared to regular HTTP traffic.

We believe that this particular threat is currently being aimed at users in the Middle East. We first encountered this threat via customers in the region. We are currently investigating if it has been found in other parts of the world.

Read more…
Source: Trend Micro