Purple Fox Rootkit Now Propagates as a Worm

The Guardicore Labs team have been tracking a new campaign distributing the Purple Fox malware. Purple Fox was discovered in March of 2018 and was covered as an exploit kit targeting Internet Explorer and Windows machines with various privilege escalation exploits.

However, throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.

While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in previously published articles. Throughout Guardicore’s research, they have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.

Their findings include

  • Purple Fox is an active malware campaign targeting Windows machines.
  • Up until recently, Purple Fox’s operators infected machines by using exploit kits and phishing emails.
  • Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force.
  • Guardicore Labs have also identified Purple Fox’s vast network of compromised servers hosting its dropper and payloads. These servers appear to be compromised Microsoft IIS 7.5 servers.
  • The Purple Fox malware includes a rootkit which allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

Read the full article by Amit Serper and Ophir Harpaz which details Guardicore’s findings about the new worm activity and shares IOCs.

Contact your local Exclusive Networks Account Manager to find our more about how Guardicore’s Centra Security Platform can help you get greater security and visibility in the cloud, data-center, and endpoint and protect against attacks such as Purple Fox.