Purple Fox Malware's New Worm Capabilities
Purple Fox is a malware campaign that until recently, required user interaction to infect Windows machines. However, the hackers behind the campaign have added new functionality that can brute force its way into systems on its own. Guardicore Labs have identified a new infection capabilities in Purple Fox where internet-facing Windows machines are being breached through SMB password brute force. Purple Fox malware now also includes a rootkit that allows the hackers to hide the malware on the machine and make it difficult to detect and remove.
Researchers analyzed Purple Fox's latest activity and found two changes to how the hackers are propagating malware on Windows machines. The first is a new worm payload that executes after a machine is compromised through a vulnerable, exposed service such as SMB. It also uses a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability. Once the worm infects a machine, it creates a new service to create persistence and execute a command that can iterate through a number of URLs that include the MSI for installing Purple Fox on an infected machine.
Once the package is executed, the MSI installer will launch by faking a Windows Update package along with Chinese text, which translates to "Windows Update" and random letters. These letters are randomly generated between each different MSI installer to create a different hash and make it difficult to create links between different versions of the same MSI. This is a simple way of evading various detection methods, such as static signatures. As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package. It will also modify the Windows firewall to prevent the infected machine from being reinfected by a different hacker. The installer then reboots the machine to rename the malware dynamic link library into a system DLL file that will be executed on boot. It will then execute the malware, which immediately begins its propagation process. The malware generates IP ranges and begins to scan them on port 445 to start the brute-forcing process. If the authentication is successful, the malware will create a service that will download the MSI installation package from one of the many HTTP servers in use, completing the infection.
Purple Fox is the latest malware to be reprogrammed with worm capabilities. Other malware families like the Rocke Group and the Ryuk ransomware have also added self-propagation functionalities. Researchers identified 3,000 servers previously compromised by the hackers behind Purple Fox, which they have repurposed to host their droppers and malicious payloads. Researchers have noted that the majority of the servers, which are serving the initial payload, are running on old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels.