Purple Fox has incorporated a new technique into its arsenal, allowing it to spread itself across windows machines. Essentially, Purple Fox is a Windows malware. Previously, it acquired a bad name for infecting systems by leveraging phishing emails and exploit kits.
Ongoing Campaign
Purple Fox malware is now carrying out indiscriminate port scanning and exploitation of vulnerable SMB services containing weak passwords and hashes. It has achieved a new spreading technique by doing it, and it is what we are witnessing in the ongoing campaign.
Once the Purple Fox malware infects, it interrupts and blocks multiple ports, such as 445, 139, and 135. It does so to prevent the machine from being re-infected and get the system misused by a cyber threat actor. In the next stage, Purple Fox malware starts its spreading interaction by generating IP ranges as well as scanning them on port 445.
Guardicore researchers claim that attacks grew by 600% since May last year. According to the estimates, a total of 90,000 incidents have got spotted.
Guardicore Labs have also spotted a new infection vector of the Purple Fox malware. It exists whereby internet-facing Windows machines got breached via SMB (Server Message Block) password brute force. Additionally, the malware includes a rootkit, providing threat actors the capability to conceal the malware running on the given machine.
Likewise, Guardicore claims that the Purple Fox malware has not altered much post-exploitation. Still, it adopted a worm-like behavior, enabling Purple Fox to spread quite fast.
Historical Roots
Purple Fox came into the limelight for the first time in March 2018. Specifically, the malware targets Microsoft Windows machines. Meanwhile, it repurposes the undermined systems to host malicious payloads.
As indicated by Guardicore Labs, the initial malware payload got hosted in the exploited servers. Interestingly, several servers were peddling older versions of Windows Server with IIS (Internet Information Services) version 7.5. By now, Purple Fox botnet operators have hijacked by and large 2,000 servers.
Conclusion
Last spring and summer, experts observed that Purple Fox has engaged in significant malicious activity. Later on, the activity went slightly down toward the edge of the year. Nevertheless, it acquired the pace again in early 2021.
This new contaminating approach is another indication of criminal operators. They are continually revising their malware dispersion procedure to infect as many systems as possible. But at the same time, you can contact us now to build sustainable cyber resiliency with our Proactive Security Services.
References
Purple Fox evolves to show worm-like behavior.
Purple Fox malware can now propagate to other Windows machines.
Purple Fox malware aims at Windows machines with the addition of new worm capabilities.
Purple Fox is on a spreading-spree towards other Windows computers.
