Purple Fox malware can now spread between Windows devices

The rootkit has added self-propagating capabilities to its arsenal with roughly 100,000 machines already infected

A nasty malware strain affecting Windows machines, known as Purple Fox, has developed worm-like functionality that allows it to spread between devices on an automated basis. 

Purple Fox was first discovered in March 2018 as a malware strain that infected devices by using exploit kits targeting Internet Explorer browsers, and sending phishing emails.

Researchers with Guardicore, however, have identified new worm-like capabilities in Purple Fox that allows it to self-propagate a rootkit between targeted machines.

The new campaign distributing Purple Fox, which has been running since the end of 2020, is based on a novel spreading technique combining indiscriminate port scanning and the exploitation of server message block (SMB) services with weak passwords.

To date, Guardicore’s researchers have identified 90,000 attacks, which amounts to a roughly 600% rise in the total number of infections since May 2020. 

“While it appears that the functionality of Purple Fox hasn’t changed much post-exploitation, its spreading and distribution methods – and its worm-like behaviour – are much different than described in previously published articles,” said researcher Amit Serper. 

“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.”

Purple Fox operates from a vast network of compromised servers that host its dropper and payload, the researchers also learned. The vast majority of these serving the initial payload are running on relatively old versions of Windows Server, running IIS version 7.5 and Microsoft FTP, both of which are known to have multiple vulnerabilities.

According to the findings, the wormable campaign can start spreading after a victim's machine is compromised through a vulnerable service, such as an SMB, or a payload is sent by email through a phishing campaign exploiting a browser vulnerability.

Once a machine is infected, the malware blocks several ports in order to prevent the infected machine from being reinfected or exploited by another malware strain.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Purple Fox then generates IP ranges and scans them on port 445, using probes to identify exposed devices with weak passwords, and brute-forcing them to catch devices into a botnet. 

Purple Fox has even been on the NHS’ radar, with NHS Digital warning about its capabilities for months. It warned healthcare organisations about the malware’s capacity to exploit privilege escalation vulnerabilities in October 2020, for example, while recently issuing a warning over its use of SMB brute-force attacks to automatically propagate. 

To prevent infection, NHS Digital advises that secure configurations are applied to all devices and that security updates are applied as soon as they’re available. Organisations should also apply tamper protection settings in security products where available. 

Users, furthermore, should apply multi-factor authentication (MFA) and lockout policies where practicable, while administrative accounts should only be restricted for strictly necessary purposes.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021