Purple Fox Evolves with Worm Capabilities
Purple Fox is a notorious malware campaign that historically relied on phishing and exploit kits to spread, has now been found to have upgraded its toolkit to include worm abilities, allowing the malware to spread without human interaction. This new upgrade could potentially allow threat actors to brute force their way into a victim’s machine on its own, utilizing SMB password brute force. In addition to these new worm capabilities, Purple Fox malware now also includes a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.
Once the worm infects a victim’s machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine. As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package, activity that includes modifying the Windows firewall in such a way as to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor, researchers observed.
The extracted files are then executed and a rootkit, which was originally developed by a security researcher to keep malware research tasks hidden from the malware itself, is installed that hides various registry keys and values, files, etc.
The installer then reboots the machine to both rename the malware dynamic link library (DLL) into a system DLL file that will be executed on boot as well as to execute the malware, which immediately begins its propagation process. This entails generating IP ranges and beginning to scan them on port 445 to start the brute-forcing process, researchers said. If the authentication is successful, the malware will create a service that will download the MSI installation package from one of the many HTTP servers in use, completing the infection loop, according to researchers.
Purple Fox is only the latest malware to be retooled with “worm” capabilities; other malware families like the Rocke Group and the Ryuk ransomware have also added self-propagation functionalities.