Purple Fox, a Windows malware that previously was delivered via exploit kits and phishing emails has been updated to include SMB password brute-forcing capability that allows it to spread like a worm across the Microsoft Windows ecosystem.
First observed in March 2018, Purple Fox is distributed in the form of malicious ".msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which allows its operators to hide the malware on the machine and evade detection.
According to Guardicore researchers, the new campaign uses a "novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes." They also noted that since May 2020, the number of attacks involving Purple Fox has spiked by nearly 600% and amounted to a total of 90,000 attacks.
Guardicore says that the majority of servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to be riddled with multiple vulnerabilities.
The researchers identified two distinct spreading mechanisms involved in this campaign:
1. The worm payload is being executed after a victim machine is compromised through a vulnerable exposed service (such as SMB).
2.The worm payload is being sent via email through a phishing campaign (which could tie the previously published findings about Purple Fox) which exploits a browser vulnerability.
“As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute forcing usernames and passwords or by trying to establish a null session,” Guardicore explains.
“If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop.”
More technical information, as well as Indicators of Compromise related to the ongoing campaign, can be found in the Guardicore write-up here.