Purple Fox Malware Campaign Deploys Rootkit and Looks for Exposed SMB Services, Research Finds

Security researchers have discovered a new campaign distributing malware named Purple Fox. Although it has been around for a few years, the operators now use new infection vectors and they’ve enhanced the malware to ensure persistence and hide it from security solutions.

Purple Fox initially targeted Windows machines and the old Internet Explorer. The new campaign, researchers have found, uses malware and tries to infect Windows machines through brute force via SMB.

“May of 2020 brought a significant amount of malicious activity and the number of infections that we have observed has risen by roughly 600% and amounted to a total of 90,000 attacks,” say the researchers from Guardicore Labs.

“While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in a previously published article,” they explained.

This means the distribution of malware is not centralized. Instead, the threat actors use already-exploited servers to deliver it. The initial analysis appears to show that almost 2,000 unpatched and old servers running IIS version 7.5 and Microsoft FTP are responsible for the attack.

The attackers have at least two infection vectors in their arsenal. They either send the initial payload in phishing schemes or infect Windows computers directly if they have exposed services and weak credentials.

One way the malware tries to stay hidden once it gains a foothold on a machine is to load the rootkit it comes with, which surprisingly is based on an open-source version named ‘Hidden.’ The malware reboots the system to ensure persistence, then starts to probe the network for machines with the 445 port open, looking for exposed SMB systems.

Security researchers also published a list of indicators of compromise.