worm

Purple Fox attacks Windows server through worm

As early as 2018, security researchers discovered the Rootkit that was later named Purple Fox. At first, mainly used phishing emails and exploit kits to spread. Recently, researchers have discovered that Purple Fox has added a worm module, allowing Purple Fox to spread more quickly among Windows devices, and the scale of infection is also increasing.

purple fox

The researchers pointed out that the is launching a new round of attacks on computers using weak passwords and facing the Internet. In addition, through the use of new infection techniques, its transmission speed has also been greatly enhanced.

purple fox

Specifically, the guesses the weak password of the Windows user account by targeting the server information block (SMB), so that Windows can communicate with other devices (such as printers and file servers) and achieve the purpose of spreading infections. Once gaining access to the vulnerable computer, Purple Fox will extract the malicious payload from the network of nearly 2,000 older and infected Windows Web servers and quietly install the Rootkit, allowing the malware to be permanently anchored on the computer. At the same time, it is more difficult to be discovered, detected, and deleted.

purple fox

The researchers pointed out that once infected, the will close the firewall port originally used to infect the computer, which may prevent repeated infections or prevent other attackers from intruding and hijacking the victim’s computer. After that, the malware generates a list of Internet addresses and scans vulnerable devices with weak passwords on the network to further infect and create an expanding botnet.

Due to its strong ability to propagate, the worm botnet poses a greater risk to victims. Compared with previous phishing and exploit kits, the “operating cost” of worm infection technology is also lower. According to monitoring data, the infection rate of Purple Fox has soared by 600% since May 2020, and the actual number may be even higher (a total of more than 90,000 infections in the past year).

IOCs

rpc.1qw.us
57.167.200.174
120.253.201.237
65.222.221.216
65.113.192.79
77.236.130.107
180.68.57.112
95.161.197.174
60.174.95.143
115.230.127.107


d17b28a40174a43252d53bcc4563cb85
bcaebf3fc65f6be6a79ed8847870a9f3
da040461a67c995d9ba95028f2e3357f211d119e
bb9b6ffff3d2c2472d7d98ffe8eb9a2ba282ad79
fea41a78e1c94b4319cc9deac3ba0abe01880482ea53c8c8b1bd3b52684b8fb0
ba5776675a4d639660fc720c8401e546613e9269e1fd51f4c2f48c101fe09f79