Purple Fox got an upgrade and has a worm module that allows it to infect Windows systems reachable over the Internet. The attacks are ongoing, according to Guardicore Labs.
The malware previously has been distributed via exploit kits and phishing emails. It has rootkit and backdoor capabilities and can download other payloads. It was first spotted in 2018 when it infected at least 30,000 devices.
Previously, Purple Fox’s exploit kit module targeted Windows systems and infected user machines through web browsers by exploiting memory corruption and elevating privileges.
According to Guardicore Labs security researchers Amit Serper and Ophir Harpaz, since May 2020, attacks with Purple Fox have sharply increased to a total of 90,000 attacks and 600% more infections.
According to the Guardicore Labs report, the upgraded Purple Fox with malware droppers and additional modules relies on an extensive network of bots and an army of almost 2,000 compromised servers.
The malware tries to discover an exposed Windows system by scanning for devices reachable over the Internet. Once found, Purple Fox’s newly added worm module tries to infect it using SMB password brute force.
Besides infecting servers by brute-forcing via vulnerable Internet-exposed SMB services, Purple Fox also uses phishing campaigns and web browser vulnerabilities to deliver its payloads.
“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns,” Serper and Harpaz said.
Once the system is infected with malware, it will exhibit worm-like behavior continuously scanning the Internet for other targets and attempting to them to the botnet.
Researchers published IOCs, including Purple Fox MSI drop sites and connect back servers, on this GitHub repository.