Threat actors are hosting a new malware “Purple Fox” campaign — attacks have spiked by about 600% according to  Guardicore researchers.

Windows Spreading Malware

Purple Fox malware with worm capabilities — deployed by threat actors with a new special spreading technique.

In 2018, Guardicore Labs first discovered the malware used to rely on exploit kits and phishing emails to spread.

Earlier, the malware is known for as an exploit kit targeting Internet Explorer and Windows machines with various privilege escalation exploits.

Recently, researchers identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

In addition, the malware targets Microsoft Windows machines and re-purposes compromised systems to host malicious payloads.

According to GGSN, observed an infrastructure which appear to be:

• made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware
• infected machines which are serving as nodes of those constantly worming campaigns
• and server infrastructure that appears to be related to other malware campaigns

Attack Analysis

However, Purple Fox is distributed in the form of malicious “.msi” payloads hosted on nearly 2,000 compromised Windows servers.

Which in turn, download and execute a component with rootkit capabilities, enabling the threat actors to hide the malware on the machine and make it easy to evade detection.

According to GGSN, there are several ways for this campaign to start spreading:

• Firstly, the worm payload is being executed after a victim machine is compromised through a vulnerable exposed service (such as SMB).

Once code execution is achieved on the victim machine, a new service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05, etc.  will be created.

• On the other hand, the worm payload is being sent via email through a phishing campaign which exploits a browser vulnerability.

Attack Work Flow

However, once code execution has been achieved on a target machine, persistence and to execute a simple command with a ‘for loop’ — iterate through a number of URLs which contain the MSI that installs Purple Fox on the machine.

In addition, the malware’s MSI installer disguises itself as a Windows Update package with different hashes and MSI installer will launch.

As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package. The MSI package contains three files:

1. A 64bit DLL payload (winupdate64).
2. A 32bit DLL payload (winupdate32).
3. An encrypted file containing a rootkit.

Firstly, once the payload tampers the firewall capabilities and blocks multiple ports – 445, 139, and 135 on both TCP and UDP.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

Also, from any IP address on the internet (0.0.0.0) to connect to the infected machine.

Once the aforementioned files are being extracted, they will be executed.

Which as threat actor’s concern is likely in an attempt to “prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor“

Secondly, Purple Fox commences its propagation process by generating IPv6 ranges subnets and scanning them on port 445.

It is order to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

The last step of Purple Fox’s deployment before restarting the machine is to load the rootkit that’s hidden inside the encrypted payload in the MSI package.

According to GGSN analysis, the rootkit is based on the hidden open source rootkit project.

The purpose of the rootkit  is to hide various registry keys and values, files, etc.,

And also in order to conduct various malware analysis tasks and to keep all of these research tasks hidden from the malware.

Post Exploit

Once the rootkit is loaded, the installer will reboot the machine.

Which in order to rename the malware DLL into a system DLL file that will be executed on boot.

Once the machine is restarted, the malware will be executed as well.

After it’s execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445.

As the machine responds to the SMB probe that’s being sent on port 445, the researchers say

• it will either authenticate to SMB by brute-forcing usernames and passwords
• or by trying to establish a null session

Security Recommendation

Once the authentication is successful the malware matching the regex code AC0[0-9]{1} — e.g. AC01, AC02, AC05, creates a service.

Which then finally download the MSI installation package from one of the many HTTP servers.

Thus completing the infection loop.

However, for the safety and privacy of computers, recommended try not to download software from unknown sources and never exit the security protection.

Indicators of Compromise

Certainly, below are the list of IP addresses used by malware to:

• Payload-hosting servers‘ IP addresses (ones from which malicious MSIs are downloaded from)
• Connect-back servers‘ IP addresses (ones with which the dropped malware communicates)