Purple Fox, a Windows malware that spreads through exploit kits and phishing emails, has added a new approach to its arsenal that allows it to spread like a cyber infection worm. In the current malicious campaign, indiscriminate port scanning and exploitation of exposed SMB services with poor passwords and hashes is being used as a novel spreading method.
The attacks have increased by about 600 percent since May 2020, according to Guardicore researchers. A total of 90,000 occurrences have been reported since then.
Working Mechanism
Purple Fox, which was first discovered in March 2018, is spreading via malicious “.msi” payloads hosted on nearly 2,000 compromised Windows servers, which download and execute a component with rootkit capabilities, allowing threat actors to hide the malware on the system and evade detection.
Purple Fox hasn’t changed much since its exploitation, according to the researchers, but its worm-like behaviour has changed, allowing the malware to spread more quickly.
The malware accomplishes this by infiltrating a victim machine through a vulnerable, exposed service like Server Message Block (SMB), leveraging the initial foothold to create persistence, pull the payload from a network of Windows servers, and install the rootkit stealthily on the host.
Once the targeted systems are infected, the malware blocks multiple ports (445,139, and135) to prevent the infected machine from being re-infected or exploited by another threat actor.
Purple Fox begins its propagation process in the next phase by generating IP ranges and scanning them on port 445, then using the probes to identify vulnerable devices on the Internet with weak passwords and brute-forcing them into a botnet.
Malware Utility
Botnets are typically used by hackers to launch Denial-of-Service attacks against websites in order to take them offline, but they can also be used to spread malware on infected computers, including file-encrypting ransomware.
Attackers typically use botnets to launch Denial-of-Service attacks against websites in order to take them offline, but they can also be used to spread malware, including file-encrypting ransomware, to infect other computers.
This new infection shows that hackers are constantly retooling their malware distribution mechanism in order to infect as many computers as possible.