Purple Fox primarily focuses on SQL servers, as opposed to conventional computers, for the former's cryptocurrency-mining operations. This is largely attributable to the more effective hardware design – for both CPU and memory – that servers typically possess. To minimize performance problems, the combination of CPU, memory and disc variables on SQL servers must scale with the database-related processes.
These computers typically have significantly larger computational power than standard desktop computers, and as such, systems are typically outfitted with hardware such as the Intel Xeon line of CPUs, which generates a considerably higher amount of hash-based calculated values (hash rates), trying to make a server more advantageous to coin mining than a typical desktop computer.
Because SQL databases provide many routes for effectively performing operating system commands, Purple Fox has used the most stealthy way of having a binary stored in the SQL server database which can be performed using TSQL commands.
Purple Fox used CLR Assemblies, a collection of DLLs that can be imported into a SQL Server, inside its infection chain rather than the more common xp cmdshell, which is monitored closely by cybersecurity experts. After importing the DLLs, they can be connected to stored procedures which can be performed using a TSQL script. This vector's impacted editions begin with SQL Server 2008.
This approach, which by default needs a system administrator role, runs as a SQL Server service account. An intruder can use this mechanism to build a.NET assembly DLL and then it can be imported into the SQL server.
It can also save an assembly in the SQL Server Table, construct a procedure that maps to a CLR technique, and then run the process. Other groups besides Purple Fox have reportedly used the CLR Assemblies technique in the past, like MrbMiner and Lemon Duck.
The C&C servers that have been utilized throughout the communication methods were compromised servers that are the components of the botnet that hosts Purple Fox's numerous payloads.
Both initial DNS queries are CNAMEs to subdomains within kozow[.]com, a free dynamic domain service supplied by dynu[.]com. This program can be modified via an API to point to different IP addresses - a strategy used by the attacker to change the IP address frequently.
Researchers recommend the following procedures if anyone detects any suspicious behaviors connected to the Purple Fox botnet on a SQL server to eliminate any malicious leftovers of the infection.
Examine all SQL Server Stored Procedures and Assemblies for any questionable assemblies that have not been identified by the DBAs. If any of these assemblies are found, they must be removed.
Perform the following TSQL script to eliminate the following malicious CLR assembly remains that have been placed into the database:
USE [master]
[fscbd]
GO
DROP ASSEMBLY
GO
Disconnect all unfamiliar accounts and update all passwords on the database server.
As a precaution, do not disclose publicly exposed port TCP 1433 to an unknown zone. Furthermore, protect the SQL server hosts with well-protected access controls behind a perimeter firewall in a DMZ.
Establish correct network micro-segmentation and zoning, as well as a zero-trust policy through your network security measures.
Limit traffic to and from SQL servers. Because these servers serve a specialized purpose, they should only be allowed to interact with other trustworthy hosts. Access to the internet, both inbound and outbound, should be restricted.