The operators of the Purple Fox botnet have changed their method of distributing the malware and are now compromising Windows devices by brute-forcing SMB passwords. Guardicore researchers said.
🧵👇 It’s here! Our Labs team unveils new distribution methods discovered for #PurpleFox, an active malware campaign targeting Windows machines. Great work @0xAmit and @OphirHarpaz 👏
Link: 👉https://t.co/aCiwsiE57h pic.twitter.com/3AzpIDxkO4
— Guardicore has new research out on #PurpleFox (@Guardicore) March 23, 2021
The hacker campaign has been ongoing since 2018 and initially relied on exploit kits and phishing emails. The botnet’s worm-like properties were only acquired at the end of 2020.
Purple Fox scans ports and unprotected SMB services with weak passwords and hashes, breaking in by brute-forcing. Once inside the victim’s computer, the malware operators construct a botnet whose primary task is covert cryptocurrency mining.
A rootkit hampers detection and removal of the malware.
Guardicore Labs identified an extensive network of compromised Microsoft IIS 7.5 servers hosting the [simple_tooltip content=’malicious program, whose task is to install on the computer other malicious programs (or other parts of the malicious complex) hidden from the user, contained in the body of the dropper’]dropper[/simple_tooltip] Purple Fox and its payload.
Guardicore specialist Amit Serper published detailed information about the Purple Fox attacks, also attaching indicators of compromise that will help victims identify signs of the worm’s presence.
Earlier in March, Kaspersky Lab experts detected a new malware program, hijacking the resources of Windows-based systems for mining Monero.
Subscribe to ForkLog News on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news and polls.