Purple Fox Malware Adds Worm Capabilities in New Campaign

Purple Fox is a strain of malware that has been around for a few years now. However, security researchers have reported a new uptick in activity and infections with Purple Fox, largely driven by a new expansion of the malware's toolkit and the addition of worm functionality to the package.

Researchers working with Guardicore published a new report on Purple Fox. The report outlines that while the malware was previously using phishing emails and exploit kits as its primary means of propagation, it has now added worm-like capabilities.

The new infection vector of Purple Fox includes attacking Windows machines with an active connection to the Internet and brute-forcing server message block passwords.

New Surge in Purple Fox Attacks

This new means of infiltrating new machines was spotted only recently, in what appears to be a new campaign to spread Purple Fox. Following a brief drop in Purple Fox attacks in the tail-end of 2020 and the first month of 2021, attacks have jumped 600% and the total stands at a staggering 90,000.

A majority of the malware's network of compromised servers consists of outdated versions of Microsoft Server with IIS 7.5, as well as Microsoft FTP. Both of those products, at the version exploited by the malware, have known vulnerabilities that the report describes as having "varying severity levels".

Purple Fox, once deployed on a target system and having achieved code execution capabilities, establishes persistence through a new service which runs a 'for' loop, hitting a pool of URLs that installs the final payload.

The real payload comes packaged as a fake Windows update MSI installer. Guardicore pointed out that the installers have different hashes, which is a quick and dirty attempt to confuse anyone examining similar attacks and trying to link them to the same campaign or source.

The addition of self-propagation techniques to malware that was originally without them is not something new or revolutionary. Even Ryuk - one of the most infamous ransomware families, got updated with worm-like self-propagation capabilities, as reported by researchers in early 2021.

Similar to Purple Fox, Ryuk also spreads using server message block network shares and port scanning.

March 25, 2021

Leave a Reply