May 29, 2023

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding.Purple Fox is now being spread through “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.”

The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. A “hodge-podge of vulnerable and exploited servers” is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP.

Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.Persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.

The malware’s MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a “cheap and simple” way to avoid the malware’s installers being connected to one another during investigations.

Three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports potentially in a bid to stop the vulnerable server from being reinfected with other malware.

An IPv6 interface is also installed for port scanning purposes and to “maximize the efficiency of the spread over IPv6 subnets,” the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.

Purple Fox will then generate IP ranges and begin scans on port 445 to spread. As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation binaries in past attacks.

Tags:

1 thought on “PurpleFox 2.0

  1. Pingback: Purple Fox Spreads via Fake Telegram App - TheCyberThrone

Leave a Reply

You may have missed

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
%d bloggers like this: