Windows 10 News and info | Forum
April 12, 2021, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: 🔥🔥Purple Fox malware evolves to propagate across Windows machines  (Read 60 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 32395


I Do Windows


WWW Email
« on: March 24, 2021, 05:13:50 PM »
ReplyReply

The malware’s new worm capabilities have resulted in a rapidly-increasing infection rate.

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding.

Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks -- and which is ongoing -- has revealed a new propagation method leading to high infection numbers.

In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes."

Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000.

The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a "hodge-podge of vulnerable and exploited servers" is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP.

Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.

As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators.

Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.

The malware's MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a "cheap and simple" way to avoid the malware's installers being connected to one another during investigations.

In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports -- potentially in a bid to stop the vulnerable server from being reinfected with other malware.

An IPv6 interface is also installed for port scanning purposes and to "maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets," the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.

Purple Fox will then generate IP ranges and begin scans on port 445 to spread.

"As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," the researchers say.

The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks.

Indicators of Compromise (IoCs) have been shared on GitHub.

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 02, 2021, 07:18:29 PM