{"id":39468,"date":"2021-03-24T11:18:37","date_gmt":"2021-03-24T09:18:37","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=39468"},"modified":"2025-08-30T09:44:05","modified_gmt":"2025-08-30T06:44:05","slug":"purple-fox-botnet-acquires-worm-like-traits-to-disseminate-a-hidden-miner","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/purple-fox-botnet-acquires-worm-like-traits-to-disseminate-a-hidden-miner\/","title":{"rendered":"Purple Fox botnet acquires worm-like traits to disseminate a hidden miner"},"content":{"rendered":"<p>The operators of the Purple Fox botnet have changed their method of distributing the malware and are now compromising Windows devices by brute-forcing SMB passwords. Guardicore researchers said.<!--more--><\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">\ud83e\uddf5\ud83d\udc47 It\u2019s here! Our Labs team unveils new distribution methods discovered for <a href=\\\"https:\/\/twitter.com\/hashtag\/PurpleFox?src=hash&#038;ref_src=twsrc%5Etfw\\\">#PurpleFox<\/a>, an active malware campaign targeting Windows machines. Great work <a href=\\\"https:\/\/twitter.com\/0xAmit?ref_src=twsrc%5Etfw\\\">@0xAmit<\/a> and <a href=\\\"https:\/\/twitter.com\/OphirHarpaz?ref_src=twsrc%5Etfw\\\">@OphirHarpaz<\/a> \ud83d\udc4f<\/p>\n<p>Link: \ud83d\udc49<a href=\\\"https:\/\/t.co\/aCiwsiE57h\\\">https:\/\/t.co\/aCiwsiE57h<\/a> <a href=\\\"https:\/\/t.co\/3AzpIDxkO4\\\">pic.twitter.com\/3AzpIDxkO4<\/a><\/p>\n<p>\u2014 Guardicore has new research out on #PurpleFox (@Guardicore) <a href=\\\"https:\/\/twitter.com\/Guardicore\/status\/1374391350456504325?ref_src=twsrc%5Etfw\\\">March 23, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>The hacker campaign has been ongoing since 2018 and initially relied on exploit kits and phishing emails. The botnet\u2019s worm-like properties were only acquired at the end of 2020.<\/p>\n<p>Purple Fox scans ports and unprotected SMB services with weak passwords and hashes, breaking in by brute-forcing. Once inside the victim&#8217;s computer, the malware operators construct a botnet whose primary task is covert cryptocurrency mining.<\/p>\n<p>A rootkit hampers detection and removal of the malware.<\/p>\n<p>Guardicore Labs identified an extensive network of compromised Microsoft IIS 7.5 servers hosting the [simple_tooltip content=&#8217;malicious program, whose task is to install on the computer other malicious programs (or other parts of the malicious complex) hidden from the user, contained in the body of the dropper&#8217;]dropper[\/simple_tooltip] Purple Fox and its payload.<\/p>\n<p>Guardicore specialist Amit Serper published detailed information about the Purple Fox attacks, also attaching indicators of compromise that will help victims identify signs of the worm&#8217;s presence.<\/p>\n<p>Earlier in March, Kaspersky Lab experts detected <a href=\"https:\/\/forklog.com\/en\/news\/fake-ad-blocker-caught-mining-monero\">a new malware program, hijacking the resources of Windows-based systems<\/a> for mining Monero.<\/p>\n<p>Subscribe to ForkLog News on Telegram: <a href=\\\"https:\/\/t.me\/forklogfeed\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener\\\">ForkLog Feed<\/a> \u2014 the full news feed, <a href=\\\"https:\/\/telegram.me\/forklog\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener\\\">ForkLog<\/a> \u2014 the most important news and polls.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Purple Fox botnet operators changed their distribution method and began hacking Windows devices by brute-forcing SMB passwords, according to Guardicore researchers.<\/p>\n","protected":false},"author":1,"featured_media":39469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1573,1154],"class_list":["post-39468","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-botnet","tag-crimes"],"aioseo_notices":[],"amp_enabled":true,"views":"28","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/39468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=39468"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/39468\/revisions"}],"predecessor-version":[{"id":39470,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/39468\/revisions\/39470"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/39469"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=39468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=39468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=39468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}