Purple Fox is an active malware campaign that targets Windows machines, which until recently, infected Windows machines by using exploit kits and phishing emails.

According to researchers at Guardicore Labs, there is a new infection vector of this malware where Windows machines are breached through SMB password brute force. The Purple Fox malware includes a rootkit that allows the threat actors to hide the malware and make it difficult to detect or remove from the machine.

The researchers also identified Purple Fox’s vast network of compromised servers which hosts its dropper and payloads, and these servers appear to be compromised Microsoft IIS 7.5 servers.

How Purple Fox Rootkit Spread Itself to Other Windows machines?



Purple Fox is distributed in the form of malicious ".msi" payloads which are hosted on nearly 2,000 compromised Windows servers, and in turn, download and execute a component with rootkit capabilities, enabling the threat actors to hide the malware and thus evade possible detection.



The vast majority of the servers, which are serving the initial payload, runs on relatively old versions of Windows Server, namely: IIS version 7.5 and Microsoft FTP, which servers are known to have multiple vulnerabilities with varying degrees of severity.

There are several ways this campaign is spreading: first the worm payload is being executed once a victim machine is compromised via a vulnerable exposed service such as SMB. And secondly, the worm payload spreads via email through a phishing campaign which exploits a known browser vulnerability.

The malware once successfully infiltrated a machine, blocks multiple ports (445, 139, and 135) in an attempt to "prevent the infected machine from getting reinfected, and/or being exploited by a different threat actor. And the next phase is the propagation process by generating IP ranges and scanning on port 445, with the probes to discover vulnerable devices on the network with weak passwords and brute-forcing them to create a botnet.

How to Mitigate against Purple fox



Botnets are often deployed by threat actors to spread all kinds of malware, including ransomware attacks, on the infected computers, albeit in this case, it isn't quite clear what the attackers are after.

Given that it spreads via old Windows versions, the most obvious advice to mitigate Purple Fox is regular updating and patching of your system. Additionally, secure your network by adding more advanced layers of security such as anti-malware solutions that use behavior monitoring and AI to strengthen detection capabilities.

Purple Fox malware spreading via wormable infection technique

Purple Fox is an active malware campaign that targets Windows machines, which until recently, infected Windows machines by using exploit kits and phishing emails.

According to researchers at Guardicore Labs, there is a new infection vector of this malware where Windows machines are breached through SMB password brute force. The Purple Fox malware includes a rootkit that allows the threat actors to hide the malware and make it difficult to detect or remove from the machine.

The researchers also identified Purple Fox’s vast network of compromised servers which hosts its dropper and payloads, and these servers appear to be compromised Microsoft IIS 7.5 servers.

How Purple Fox Rootkit Spread Itself to Other Windows machines?



Purple Fox is distributed in the form of malicious ".msi" payloads which are hosted on nearly 2,000 compromised Windows servers, and in turn, download and execute a component with rootkit capabilities, enabling the threat actors to hide the malware and thus evade possible detection.



The vast majority of the servers, which are serving the initial payload, runs on relatively old versions of Windows Server, namely: IIS version 7.5 and Microsoft FTP, which servers are known to have multiple vulnerabilities with varying degrees of severity.

There are several ways this campaign is spreading: first the worm payload is being executed once a victim machine is compromised via a vulnerable exposed service such as SMB. And secondly, the worm payload spreads via email through a phishing campaign which exploits a known browser vulnerability.

The malware once successfully infiltrated a machine, blocks multiple ports (445, 139, and 135) in an attempt to "prevent the infected machine from getting reinfected, and/or being exploited by a different threat actor. And the next phase is the propagation process by generating IP ranges and scanning on port 445, with the probes to discover vulnerable devices on the network with weak passwords and brute-forcing them to create a botnet.

How to Mitigate against Purple fox



Botnets are often deployed by threat actors to spread all kinds of malware, including ransomware attacks, on the infected computers, albeit in this case, it isn't quite clear what the attackers are after.

Given that it spreads via old Windows versions, the most obvious advice to mitigate Purple Fox is regular updating and patching of your system. Additionally, secure your network by adding more advanced layers of security such as anti-malware solutions that use behavior monitoring and AI to strengthen detection capabilities.

No comments