⚠️ Overview

PurpleInk is a modular backdoor malware first documented in April 2021 by Volexity, attributed to the North Korean threat group APT37 (ScarCruft/Reaper). It functions as a trojanized downloader and remote access tool (RAT) designed to exfiltrate data from high-value targets, primarily in South Korea. The malware is believed to be operated by the Reconnaissance General Bureau (RGB), leveraging legitimate cloud services for command and control.

🔧 Technical Capabilities

PurpleInk propagates via spear-phishing emails containing malicious documents that exploit CVE-2021-26411 (Internet Explorer memory corruption) to drop the initial payload. The malware uses Dropbox and Google Drive APIs for C2 communication, storing stolen data in cloud folders to evade network monitoring. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include DLL sideloading using a legitimate Microsoft signed binary (e.g., OneDriveSetup.exe) and encrypting its configuration with RC4. It also employs process hollowing and anti-debugging checks using NtQueryInformationProcess.

📜 History & Notable Incidents

First documented in early 2021 by Volexity’s threat intelligence team (report “PurpleInk: A New Backdoor from APT37”), the malware was used in a 2022 campaign targeting South Korean government ministries and defense think tanks. Notable victims include the Korea Institute for Defense Analyses (KIDA) and a major South Korean shipbuilder. No specific CVEs have been exclusively associated with PurpleInk beyond the initial exploit chain, and no law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA-256 f2a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (variant observed in 2022). Behavioral indicators include unusual outbound HTTPS traffic to api.dropbox.com or www.googleapis.com with encoded filenames, and creation of files in %AppData%LocalTemp with random six-character names. Network IOCs include User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 with a custom “X-Client-Data” header.

☠️ Risk & Impact

PurpleInk enables full system compromise, allowing data exfiltration of classified government documents, intellectual property, and personal credentials. The malware has caused significant financial and reputational damage to South Korean defense and technology sectors. Analysis by the South Korean National Intelligence Service (NIS) in 2022 estimated that over 50 targeted organizations were breached, with losses exceeding $100 million in stolen research data.

🛡️ Mitigation

Organizations should deploy EDR solutions with behavioral detection rules for cloud API misuse and block unauthorized access to Dropbox/Google Drive. Apply patches for CVE-2021-26411 and all Internet Explorer vulnerabilities, enforce application control policies to prevent DLL sideloading, and train users to identify spear-phishing lures targeting geopolitical topics.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.