1 min read

Purple Fox Malware Campaign Deploys Rootkit and Looks for Exposed SMB Services, Research Finds

Silviu STAHIE

March 25, 2021

Purple Fox Malware Campaign Deploys Rootkit and Looks for Exposed SMB Services, Research Finds

Security researchers have discovered a new campaign distributing malware named Purple Fox. Although it has been around for a few years, the operators now use new infection vectors and they”ve enhanced the malware to ensure persistence and hide it from security solutions.

Purple Fox initially targeted Windows machines and the old Internet Explorer. The new campaign, researchers have found, uses malware and tries to infect Windows machines through brute force via SMB.

“May of 2020 brought a significant amount of malicious activity and the number of infections that we have observed has risen by roughly 600% and amounted to a total of 90,000 attacks,” say the researchers from Guardicore Labs.

“While it appears that the functionality of Purple Fox hasn”t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in a previously published article,” they explained.

This means the distribution of malware is not centralized. Instead, the threat actors use already-exploited servers to deliver it. The initial analysis appears to show that almost 2,000 unpatched and old servers running IIS version 7.5 and Microsoft FTP are responsible for the attack.

The attackers have at least two infection vectors in their arsenal. They either send the initial payload in phishing schemes or infect Windows computers directly if they have exposed services and weak credentials.

One way the malware tries to stay hidden once it gains a foothold on a machine is to load the rootkit it comes with, which surprisingly is based on an open-source version named “Hidden.” The malware reboots the system to ensure persistence, then starts to probe the network for machines with the 445 port open, looking for exposed SMB systems.

Security researchers also published a list of indicators of compromise.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read