Purple Fox Rootkit Presents New Infection Vector for Windows Based Computers

Purple Fox, a Windows malware deployed using exploit kits and phishing emails has gained a worm module that allows it to scan and infect vulnerable systems.

Purple Fox was first discovered in 2018 which was distributed in the form of malicious “.msi” payloads and used rootkit capabilities to hide within a server.

Guardicore Labs said that Purple Fox can now brute force it’s way into victims’ systems on its own after reports of attacks have spiked by about 600% since May 2020.

(Purple Fox has a) “novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” explained Guardicore.

Guardicore said Purple Fox didn’t change its post-exploitation behavior but since it has worm capabilities it could spread more rapidly on unprotected networks.

“We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels,” said Guardicore Labs’ Amit Serper.

The number of Purple Fox infections rose to 90,000 through the rest of 2020 and the beginning of 2021 alone.


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.