A new infection vector from the established malware puts internet-facing Windows systems at risk from SMB password brute-forcing.
A malware that has historically targeted exposed Windows machines through phishing and exploit kits has been retooled to add new “worm” capabilities.
Purple Fox, which first appeared in 2018, is an active malware campaign that until recently required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims’ systems on its own, according to new Tuesday research from Guardicore Labs.
“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs’ Amit Serper said.
In addition to these new worm capabilities, Purple Fox malware now also includes a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove, he said.
Latest Attack Vector
Researchers analyzed Purple Fox’s latest activity and found two significant changes to how attackers are propagating malware on Windows machines. The first is that the new worm payload executes after a victim machine is compromised through a vulnerable exposed service (such as SMB).
Purple Fox also is using a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability, researchers observed.
Once the worm infects a victim’s machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper.
“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”
Once the package is executed, the MSI installer will launch by impersonating a Windows Update package along with Chinese text, which roughly translates to “Windows Update” and random letters, he said. These letters are randomly generated between each different MSI installer to create a different hash and make it difficult to create links between different versions of the same MSI.
“This is a ‘cheap’ and simple way of evading various detection methods, such as static signatures,” Serper wrote.
As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package, activity that includes modifying the Windows firewall in such a way as to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor, researchers observed.
The extracted files are then executed and a rootkit—which “ironically” was developed by a security researcher to keep malware research tasks hidden from the malware itself — is installed that hides various registry keys and values, files, etc., according to Serper.
The installer then reboots the machine to both rename the malware dynamic link library (DLL) into a system DLL file that will be executed on boot as well as to execute the malware, which immediately begins its propagation process. This entails generating IP ranges and beginning to scan them on port 445 to start the brute-forcing process, researchers said.
If the authentication is successful, the malware will create a service that will download the MSI installation package from one of the many HTTP servers in use, completing the infection loop, according to researchers.
Previous Purple Fox Activity
Researchers identified nearly 3,000 servers previously compromised by the actors behind Purple Fox, which they have repurposed to host their droppers and malicious payloads, said Serper
“We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels,” he wrote.
Purple Fox was last seen engaging in significant malicious activity last spring and summer, with activity falling slightly off toward the end of the year and then ramping up again in early 2021, researchers said. Since May 2020, infections rose by about 600 percent for a total of 90,000 attacks at the time of the post, according to researchers.
Last July, for instance, the Purple Fox exploit kit (EK) added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks. At the time researchers said they were expecting attackers to add new functionality in the future as well.