Perkiler Malware Used by Purple Fox for Brute Force Attacks
Perkiler is the name assigned to a strain of malware that made headlines by association with the infamous Purple Fox.
Perkiler is dropped by Purple Fox and is used by for brute force attacks on server message blocks (SMB) on systems running outdated versions of Microsoft server products.
Purple Fox, the malware that drops Perkiller, made headlines in recent weeks, by adding worm-like capabilities to its toolkit and resorting to brute force password attacks on SMB of Internet-connected Windows systems. This is not the first time malware attempts to abuse SMB to infiltrate systems. The infamous WannaCry ransomware also included functionality that targeted SMB.
We covered the SMB brute force attacks in another article on Purple Fox and its resurgence, driven by the newly added worm module. However, researchers are still a bit confused why Perkiler and the bad actors behind it decided to do brute force attacks, given the existence of better malicious tools.
Examples include EternalBlue, an exploit developed by the NSA and later leaked to the public by the Shadow Brokers hacker consortium. EternalBlue exploits a vulnerability in Microsoft's SMB protocol, codified as CVE-2017-0144.
Perkiler also has a rootkit component. Its goal is to mask and obscure various malicious components, including Windows registry keys and files.
The rootkit would reboot the compromised system, then execute the malware. Upon running, Perkiler starts probing IPs through port 445. Once a system responds to the probe, it will attempt to brute force the SMB.
Researchers further noted that Perkiler will install an IPv6 interface on the compromised system, so that it can start doing IPv6 port scanning in addition, as this will allow for easier spreading over IPv6 sub-networks which tend to be less protected and poorly monitored.
The suggestions that security researchers provide for avoiding similar brute force attacks include simply getting rid of SMB and if that proves impossible, at the very least running the SMB service behind a multi-factor authenticated VPN.