Security News > 2021 > March > Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers

Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.

Msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.

It achieves this by breaking into a victim machine through a vulnerable, exposed service such as server message block, leveraging the initial foothold to establish persistence, pull the payload from a network of Windows servers, and stealthily install the rootkit on the host.

Once infected, the malware blocks multiple ports, likely in an attempt to "Prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor," notes Amit Serper, Guardicore's new vice president of security research for North America.

In the next phase, Purple Fox commences its propagation process by generating IP ranges and scanning them on port 445, using the probes to single out vulnerable devices on the Internet with weak passwords and brute-forcing them to ensnare the machines into a botnet.

While botnets are often deployed by threat actors to launch denial-of-network attacks against websites with the goal of taking them offline, they can also be used to spread all kinds of malware, including file-encrypting ransomware, on the infected computers, although in this case, it's not immediately clear what the attackers are looking to achieve.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/_p_rxxPRdEY/purple-fox-rootkit-can-now-spread.html