Purple Fox Malware Using Worm to Target Windows Devices
Cybercrime
,
Fraud Management & Cybercrime
,
Fraud Risk Management
Malware Spreads Via Indiscriminate Port Scanning
The developers behind the Purple Fox fileless downloader malware have upgraded their operation and are using worm capability to target internet-facing devices running Windows, the security firm Guardicore Labs reports.
See Also: Live Webinar | Mitigating the Risks Associated with Remote Work
The downloader is primarily used to distribute information stealers, cryptominers, ransomware and Trojans.
Purple Fox, first discovered in March 2018, is an exploit kit targeting Internet Explorer and Windows devices with various privilege escalation exploits. The downloader malware is now spreading via indiscriminate port scanning and exploitation of exposed Server Message Block, or SMB, services with weak passwords and hashes, Guardicore researchers say.
The malware comes with a rootkit capability that enables the attackers to hide the malware on infected devices and make it difficult to remove. In 2018, the malware victimized 30,000 users, according to a 2019 report by Trend Micro.
Purple Fox uses a vast network of compromised servers – primarily Microsoft IIS 7.5 servers – to host its dropper and payloads.
“We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels,” Guardicore Labs researchers note.
James McQuiggan, security awareness advocate at the security firm KnowBe4, says organizations that continue to use end-of-life computer operating systems and applications are an easy target for cybercriminals.
Attack Methods
The latest Purple Fox attacks start with a phishing email that delivers the worm payload, the researchers say.
The installer pretends to be a Windows Update package and uses Chinese text that roughly translates to “Windows Update” and random letters.
“These letters are randomly generated between each different MSI installer to create a different hash and make it a bit difficult to tie between different versions of the same MSI,” Guardicore Labs says. “This is a cheap and simple way of evading various detection methods such as static signatures. Additionally, we have identified MSI packages with the same strings but with random null bytes appended to them in order to create different hashes of the same file.”
While the malware installation progresses, the installer extracts its payloads and decrypts them from within the MSI package. The MSI package contains a 64-bit DLL payload (winupdate64), a 32-bit DLL payload (winupdate32) and an encrypted file containing a rootkit.
“As a part of the installation process, the malware modifies the windows firewall by executing multiple netsh (network shell) commands. The malware adds a new policy named Qianye to the windows firewall. Under this policy, it creates a new filter called Filter1 and under this filter, it prohibits ports 445, 139, 135 on both TCP and UDP from any IP address on the internet (0.0.0.0) to connect to the infected machine,” the researchers note.
Guardicore Labs says the attackers apparently block connections to prevent the infected machine from being reinfected and/or being exploited by a different threat actor.
The upgraded Purple Fox malware infects a device after the worm payload is executed, compromising a vulnerable exposed service, such as SMB.
Once successful code execution is achieved on a device, a new service whose name matches the regex AC0[0-9]{1} – e.g., AC01, AC02, AC05 – is created to establish persistence.
Previous Versions
A 2020 report by security firm Proofpoint says the developers behind the Purple Fox fileless downloader malware had upgraded their operation and were targeting two vulnerabilities to gain access to networks.