Purple Fox, a popular malware variant that infected thousands of devices in 2018, is back again, and while the way it functions is essentially the same, this time it's showing worm-like behavior in how it spreads. It is actively being distributed via phishing and exploit kits. This malware variant is targetingvulnerable internet-facing Windows systems with weak passwords.
Security researchers from Guardicore Labs identified this malware variant and mentioned that the infection rate has increased by 600 percent, infecting 90,000 devices and counting since its first detection in May 2020. Purple Fox exploits the memory space in Windows devices through web browsers and then elevates its privileges by manipulating vulnerabilities.
Purple Fox scans ports to find vulnerable Windows machines. Once it finds a vulnerable system, it initiates a brute-force attack on the Server Message Block to infect that system. As of now, Purple Fox has wormed its way into around 2,000 servers as per Guaridicore's report. Once the devices are infected, Purple Fox will deploy a rootkit module that hides the dropped files and reboots the device.
As the device gets rebooted, all the dynamic-link library (DLL) payload files dropped by the rootkit will be renamed to match Windows DLL files, hiding them in plane sight. Once Purple Fox gains control over the infected device, it will search the connected networks to find other devices that are vulnerable and add them to its botnet.
You can find in-depth details about Purple Fox on GitHub.
Purple Fox is distributed through phishing campaigns and exploit kits, and is used to look for vulnerable Windows systems containing open ports that can be used to breach a network device. IT administrators need to ensure their network devices have only limited ports open and ensure their Windows devices are kept up to date to eliminate vulnerabilities that can be used to elevate privileges.
They can also ensure their incoming emails are only from the trusted domains and any anonymous or malicious domains are automatically blocked from employees' inboxes. Phishing campaigns are very manipulative, so educating employees about phishing attacks and the best practices to avoid falling victim to one will help the IT department keep the network safe from Purple Fox.
Employing automated patch management procedures with the right browser isolation methods can keep your network safe from intrusions like these.
