According to researchers, Purple Fox malware attacks intensified significantly, and it has launched a total of 90,000 attacks since May 2020.
First detected in 2018, the Purple Fox malware was distributed via phishing emails and exploit kits. At the time, it managed to infect around 30,000 devices. Previously it could deploy other malware strains and was primarily used as a downloader.
As per the latest Guardicore Labs report, this malware has resurfaced with a worm module that lets it scan and infect internet-connected Windows systems. Hence the infection spreads from computer to computer.
According to researchers, the malware now exploits memory corruption and elevation privilege flaws to infect the system via web browsers. Apart from rootkit and backdoor capabilities, the new version uses the SMB brute-force method to infect systems.
How Purple Fox malware Targets Systems?
Purple Fox malware breaks into a machine via vulnerable/exposed server message block (SMB) or other such services to gain initial foothold and persistence. It then pulls the payload from a network of Windows servers and quietly installs the rootkit.
After establishing the infection, it blocks multiple ports, including 445, 139, and 135, to prevent the machine from being exploited by another attacker or be re-infected. Once this is done, it initiates the propagation process by generating IP ranges and scans them on port 445.
It uses the probe to single out vulnerable devices over the internet, such as those with weak passwords, and using brute-force, it traps them into a botnet. It is not yet clear whether the attackers want to use the botnet in DoS attacks or not.
90,000 Attacks so far!
According to Ophir Harpaz and Amit Serper, Guardicore Labs’ security researchers, since May 2020, the malware attacks intensified significantly, and it has launched a total of 90,000 attacks. There have been 600% more infections. Although not the first time that Purple Fox malware has targeted Windows-based systems, the attack intensity is far superior to before.
The Functionality Hasn’t Changed Much
According to Guardicore VP Amit Serper, Purple Fox’s functionality hasn’t changed much. Its spreading and distribution methods are the same as before, but the worm-like behavior is different. Researchers noted that its latest infrastructure seems to be made with a mixture of vulnerable/exploited servers, infected machines, and servers.
“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns,” Serper explained in a blog post.
The attackers, reportedly, are hosting several MSI packages on around 2,000 servers. Most of them are compromised machines that have been repurposed to host malicious payloads.