Malware Purple Fox was updated and received a self-propagation mechanism

Guardicore Labs discovered that the Purple Fox malware, which has rootkit and backdoor capabilities, has been updated and can now spread to accessible Windows machines like a worm.

This malware was first detected in 2018, after infecting 30,000 devices. It is most commonly used as a downloader for deploying other malware. In the past, Purple Fox has also targeted Windows systems and typically infected machines through browsers after exploiting memory corruption and privilege escalation vulnerabilities.

According to Guardicore Labs, since May 2020, Purple Fox attacks have increased significantly, reaching 90,000 in early 2021, that is, by 600% more infections.

Malware Purple Fox updated

Active port scanning and attack attempts began late last year. What is worse, now a vulnerable Windows system has been discovered. It is accessible over the Internet, and a worm module, which was recently added to Purple Fox and which is responsible for brute-force passwords from SMB, is activated. Despite the appearance of this module, the malware still uses phishing campaigns and browser vulnerabilities to spread.

Before restarting infected devices, Purple Fox installs an open-source rootkit hidden on them to hide deleted files, as well as folders and Windows registry entries created on infected systems.

“Then, after deploying the rootkit and rebooting the device, the malware renames its payload DLL to match the Windows system DLL and configures it to run on system startup”, – Guardicore Labs researchers say.

Subsequently, when the malware is launched at system startup, the infected machine acts like a worm, constantly scanning the Internet for other targets, trying to compromise them and add them to the botnet.

Malware Purple Fox updated

Currently, Purple Fox has deployed its droppers and add-on modules to 2000 compromised servers, including Windows Server-based machines running IIS version 7.5 and Microsoft FTP, as well as servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, Microsoft HTTPAPI httpd 2.0, as well as Microsoft Terminal Service.

“During our research, we found an infrastructure that appears to be a jumble of vulnerable and exploited servers hosting payloads of malware, infected machines that host ever-expanding campaigns, and server infrastructure that appears to be linked to other malware. campaigns”, — the researchers write.

Let me remind you that I also talked about the interesting ZHtrap malware that turns infected devices into traps to search for new victims.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button