Purple Fox, a Windows malware that infects computers by using exploit kits and phishing emails, has now added a new technique to its arsenal which gives it worm-like propagation capabilities.
In the ongoing campaign, a novel spreading technique is used by indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.
According to Guardicore researchers, the attacks have spiked by about 600% since May 2020. Since then, a total of 90,000 incidents have been spotted.
Purple Fox which was first spotted in March 2018, is distributed in the form of malicious “.msi” payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.
The researchers stated that Purple Fox hasn’t changed much post-exploitation, but there has been a change in its worm-like behavior, that lets the malware to spread more rapidly.
The malware does this by breaking into a victim machine through a vulnerable, exposed service such as server message block (SMB), leveraging the initial foothold to establish persistence, pull the payload from a network of Windows servers, and stealthily install the rootkit on the host.
Once infected, the malware blocks multiple ports (445, 139, and 135), to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor.
In the next phase, Purple Fox commences its propagation process by generating IP ranges and scanning them on port 445, using the probes to single out vulnerable devices on the Internet with weak passwords and brute-forcing them to ensnare the machines into a botnet.
Botnets are usually used by attackers to launch denial-of-network attacks against websites in order to take them offline, but they can also be used to spread all kinds of malware, including file-encrypting ransomware, on the infected computers.
This new infection is an indication that the threat actors are continuously retooling their malware distribution mechanism to compromise more machines as possible.