A new threat has surfaced online for Windows users. Researchers have discovered Purple Fox malware campaigns in the wild demonstrating a new strategy. As observed, Purple Fox malware now exhibits wormable behaviour to scan for vulnerable systems.
Purple Fox Windows Malware
Researchers from Guardicore Labs have shared details about the Purple Fox malware targeting Windows systems in recent campaigns. As elaborated in their report, Purple Fox now leverages a worm to scan for vulnerable internet-exposed systems.
Specifically, the novel variant has added a module for indiscriminate port scanning to compromise vulnerable Windows systems. It typically infects systems via SMS password brute force.
As observed, after infecting vulnerable machines, the malware begins using them to host malicious payloads. Presently, Purple Fox malware has compromised roughly 2000 servers.
Apart from scanning for weak SMB, the malware also infects devices via phishing and exploiting web browser vulnerabilities.
Upon infecting a device, the malware deploys a hidden open source rootkit (actually meant for ethical hackers). This rootkit hides different registry keys and values to avoid raising suspicion. The malware would then prompt to restart the device, following which, it renames the malicious DLL to match a legit system DLL file that will execute on boot.
Once done, the malware starts exploiting the infected system to scan for more vulnerable devices to expand its botnet.
Technical details about the malware are available in Guardicore’s report.
Malware Active For Years
The recent Purple Fox campaign only relates to the latest wormable variant. Otherwise, this Windows malware itself is around since 2018 and has targeted numerous systems.
Initial variants of Purple Fox already possessed backdoor and rootkit capabilities. In 2018, this malware infected thousands of devices in its campaign. It then went under the radar for some time, ultimately reappearing in 2020.
In the latest campaign, Purple Fox has conducted 600% more infections and attacked at least 90,000 devices since May 2020.