Purple Fox malware can now spread between Windows devices

The rootkit has added self-propagating capabilities to its arsenal with roughly 100,000 machines already infected

A nasty malware strain affecting Windows machines, known as Purple Fox, has developed worm-like functionality that allows it to spread between devices on an automated basis. 

Purple Fox was first discovered in March 2018 as a malware strain that infected devices by using exploit kits targeting Internet Explorer browsers, and sending phishing emails.

Researchers with Guardicore, however, have identified new worm-like capabilities in Purple Fox that allows it to self-propagate a rootkit between targeted machines.

The new campaign distributing Purple Fox, which has been running since the end of 2020, is based on a novel spreading technique combining indiscriminate port scanning and the exploitation of server message block (SMB) services with weak passwords.

To date, Guardicore’s researchers have identified 90,000 attacks, which amounts to a roughly 600% rise in the total number of infections since May 2020. 

“While it appears that the functionality of Purple Fox hasn’t changed much post-exploitation, its spreading and distribution methods – and its worm-like behaviour – are much different than described in previously published articles,” said researcher Amit Serper. 

“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.”

Purple Fox operates from a vast network of compromised servers that host its dropper and payload, the researchers also learned. The vast majority of these serving the initial payload are running on relatively old versions of Windows Server, running IIS version 7.5 and Microsoft FTP, both of which are known to have multiple vulnerabilities.

According to the findings, the wormable campaign can start spreading after a victim's machine is compromised through a vulnerable service, such as an SMB, or a payload is sent by email through a phishing campaign exploiting a browser vulnerability.

Once a machine is infected, the malware blocks several ports in order to prevent the infected machine from being reinfected or exploited by another malware strain.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Purple Fox then generates IP ranges and scans them on port 445, using probes to identify exposed devices with weak passwords, and brute-forcing them to catch devices into a botnet. 

Purple Fox has even been on the NHS’ radar, with NHS Digital warning about its capabilities for months. It warned healthcare organisations about the malware’s capacity to exploit privilege escalation vulnerabilities in October 2020, for example, while recently issuing a warning over its use of SMB brute-force attacks to automatically propagate. 

To prevent infection, NHS Digital advises that secure configurations are applied to all devices and that security updates are applied as soon as they’re available. Organisations should also apply tamper protection settings in security products where available. 

Users, furthermore, should apply multi-factor authentication (MFA) and lockout policies where practicable, while administrative accounts should only be restricted for strictly necessary purposes.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021