Purple Fox attacks Windows server through worm

As early as 2018, security researchers discovered the Rootkit that was later named Purple Fox. At first, mainly used phishing emails and exploit kits to spread. Recently, researchers have discovered that Purple Fox has added a worm module, allowing Purple Fox to spread more quickly among Windows devices, and the scale of infection is also increasing.

purple fox

The researchers pointed out that the is launching a new round of attacks on computers using weak passwords and facing the Internet. In addition, through the use of new infection techniques, its transmission speed has also been greatly enhanced.

purple fox

Specifically, the guesses the weak password of the Windows user account by targeting the server information block (SMB), so that Windows can communicate with other devices (such as printers and file servers) and achieve the purpose of spreading infections. Once gaining access to the vulnerable computer, Purple Fox will extract the malicious payload from the network of nearly 2,000 older and infected Windows Web servers and quietly install the Rootkit, allowing the malware to be permanently anchored on the computer. At the same time, it is more difficult to be discovered, detected, and deleted.

purple fox

The researchers pointed out that once infected, the will close the firewall port originally used to infect the computer, which may prevent repeated infections or prevent other attackers from intruding and hijacking the victim’s computer. After that, the malware generates a list of Internet addresses and scans vulnerable devices with weak passwords on the network to further infect and create an expanding botnet.

Due to its strong ability to propagate, the worm botnet poses a greater risk to victims. Compared with previous phishing and exploit kits, the “operating cost” of worm infection technology is also lower. According to monitoring data, the infection rate of Purple Fox has soared by 600% since May 2020, and the actual number may be even higher (a total of more than 90,000 infections in the past year).