Purple Fox is Raiding the Hen House Again

8820016295?profile=RESIZE_400xPurple Fox is the name of a malware downloader, a malicious program that proliferates other programs of this type.  This malware is used to infect systems with cryptocurrency mining programs.  Purple Fox can cause serious damage and must be uninstalled immediately.  An example of malware that could be installed through Purple Fox is ransomware.  These programs encrypt files and prevent victims from accessing them unless ransoms are paid or confidential information is disclosed and offered for sale.

The malware’s new worm capabilities have resulted in a rapidly increasing infection rate.  An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding.  Purple Fox was first discovered in 2018 and is malware that used to rely on exploit kits and phishing emails to spread.  But a recent campaign has revealed a new dissemination method leading to high infection numbers.

In a March 2021 blog post, Guardicore Labs reported Purple Fox is now being spread through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes."   Purple Fox is said to begin its current trend in May 2020.  While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000.[1]

Purple Fox targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads.  Researchers explain a "hodge-podge of vulnerable and exploited servers" is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP.  Infection chains may begin through Internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.

As of April 2021, nearly 2,000 servers have been hijacked by Purple Fox botnet operators.  Researchers state that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.  The malware's MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a "cheap and simple" way to avoid the malware's installers being connected to one another during investigations.

Three payloads are then extracted and decrypted.  One tampers with Windows firewall capabilities and filters are created to block a number of ports, potentially in a bid to stop the vulnerable server from being reinfected with other malware.  An IPv6 interface is also installed for port scanning purposes and to "maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets," the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.  Purple Fox will then generate IP ranges and begin scans on port 445 to spread. "As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," the researchers say. 

The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks.   Indicators of Compromise (IoCs) have been shared on GitHub.

Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.  Many past tactics are often dusted off and reused in current malicious campaigns.  Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. 

Red Sky Alliance is a Cyber Threat Analysis and   Intelligence Service organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:


Weekly Cyber Intelligence Briefings
:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

 

[1] https://www.zdnet.com/article/purple-fox-malware-evolves-to-propagate-across-windows-machines/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!