Purple Fox Trojan is being pushed to victims after invasion via SQL. The attackers then download and execute multiple virus files including the Purple Fox Trojan MSI installation package, privilege escalation vulnerability, powershell script Trojan, etc. The function of the executed script is mainly to download and execute, download and execute multiple jpg, png, and picture format files. These files are disguised with picture formats. In fact, they are powershell script viruses, MSI purple fox Trojan installation files, EXE elevation of privilege vulnerabilities, etc. These will download and execute multiple privilege escalation vulnerabilities, including CVE-2018-8120, CVE-2015-1701 , ms16-032, etc., to elevate privileges, thereby enhancing the execution permissions of the current process, in order to facilitate the successful installation of the virus’s MSI installation file.
ms16-032 download address:
CVE-2018-8120 module download address :
The downloaded SMB1.jpg, SMB3.jpg, and Sps.jpg files are actually MSI installation packages. The download address is hxxp: //Es.ldbdhm.xyz/sqlexec/xxx.jpg