Purple Fox, malicious Windows software that used to be known for infectious machines using exploitation kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.
The ongoing campaign uses “a novel dissemination technique by scanning indiscriminate ports and exploiting open SMB services with passwords and weak hashes,” according to Guardicore researchers, who say the attacks have pocketed about 600% since May 2020.
The rest of 2020 and early 2021 saw a total of 90,000 incidents.
First discovered in March 2018, Purple Fox is distributed in the form of malicious “.msi” payloads hosted on nearly 2,000 threatened Windows servers that in turn download and implements a component with rootkit capabilities, which enables the threat actors to hide the malicious software. on the machine and make it easy to avoid detection.
Guardicore says that Purple Fox hasn’t changed much post-exploitation, but where it has been in its worm-like behavior, allowing the malicious software to spread more quickly.
It achieves this by breaking into a victim machine through an open vulnerability service such as a server message block (SMB), leverage the initial footer to establish persistence, extracting the payload from a network of Windows servers, and installing the root package on the host is stealthy. .
Once infected, the malicious software blocks multiple ports (445, 139, and 135), likely in an attempt to “prevent the infected machine from being re-infected, and / or exploited by an actor a different threat, ”notes Amit Serper, the new Guardicore vice president of security research for North America.
In the next step, Purple Fox begins its propagation process by generating IP ranges and scanning them on port 445, using the probes to extract vulnerable devices on the Internet with weak passwords and forcing them to bruise the device. machines into a botnet.
While botnets are often used by threat actors to launch network denial attacks against websites aimed at taking them offline, they can also be used to spread all forms of malware, including file encryption ransomware, on the infected computers, although in this case, it is not immediately clear what the attackers are looking to achieve.
If anything, the new infection vector is another sign of criminal operators constantly retooling their malicious software distribution mechanism to cast a wide net and compromise as many machines as possible. Details of the compromise indicators (IoCs) associated with the campaign can be found here.