Purple Fox Rootkit Now Capable of Spreading to Other Windows Systems

Purple Fox, previously known for infecting Windows systems through various exploit kits and phishing campaigns, has evolved to include a new propagation technique that resembles worm-like behavior. Recent findings indicate a substantial uptick in its activity, with Guardicore researchers reporting a 600% increase in incidents since May 2020.

This latest campaign exploits a “novel spreading technique” that involves indiscriminate port scanning and the targeting of exposed SMB services with weak credentials. In total, around 90,000 incidents relating to Purple Fox have been recorded into early 2021, pointing to a significant and sustained threat landscape that requires vigilance from organizations.

Since its discovery in March 2018, Purple Fox has primarily been circulated via malicious “.msi” files residing on nearly 2,000 compromised Windows servers. These servers are crucial in facilitating the download and execution of components equipped with rootkit capabilities. Such features allow the malware to obscure its presence, making it harder for defenses to detect and respond effectively. While the core mechanisms of Purple Fox remain relatively unchanged, its newfound ability to spread rapidly constitutes a pivotal shift.

The infection process initiates by accessing machines through inadequately secured services, particularly server message block (SMB). This initial breach establishes a foothold, allowing the malware to maintain persistence while downloading the necessary components to install the rootkit stealthily. After a successful infection, Purple Fox takes further measures by blocking key ports such as 445, 139, and 135, likely to thwart any subsequent attempts at reinfection or exploitation by different threat actors, according to Amit Serper, Guardicore’s vice president of security research for North America.

As the propagation phase unfolds, Purple Fox systematically generates IP ranges and conducts scans on port 445. This targeting method facilitates the discovery of vulnerable devices across the Internet, leveraging weak passwords and brute-force techniques to integrate those machines into a botnet. While such botnets are often exploited for launching denial-of-service attacks, they can also serve as vehicles for deploying various types of malware, including ransomware. The precise objectives of this campaign, however, remain unclear.

Overall, the emergence of this sophisticated infection technique underscores the ongoing evolution of cybercriminal tactics designed to compromise as many systems as possible. Organizations committed to maintaining robust cybersecurity measures must remain vigilant, as this shift highlights the need for continuous adaptation in the face of evolving threats. For further details on the indicators of compromise related to this campaign, organizations can access the information via Guardicore’s repository.