Purple Fox botnet gets worm properties to spread hidden miner

The Purple Fox botnet operators changed the malware distribution method and began hacking Windows devices by brute-forcing the Server Message Block (SMB) password. This was reported by researchers at Guardicore.

 It’s here! Our Labs team unveils new distribution methods discovered for #PurpleFox , an active malware campaign targeting Windows machines. Great work @ 0xAmit and @OphirHarpaz 

Link:  https://t.co/aCiwsiE57h pic.twitter.com/3AzpIDxkO4

– Guardicore has new research out on #PurpleFox (@Guardicore) March 23, 2021

The hacking campaign has been going on since 2018 and initially used exploit kits and phishing emails. The botnet acquired the properties of the worm only at the end of 2020.

Purple Fox scans ports and insecure SMB services with weak passwords and hashes and brute-force attacks. Having penetrated the victim’s computer, malware operators build a botnet, the main task of which is hidden cryptocurrency mining.

A rootkit makes it difficult to detect and remove malware.

Guardicore Labs has identified a vast network of compromised Microsoft IIS 7.5 servers that host dropper Purple Fox and its useful data.

Guardicore specialist Amit Serper has released detailed information on the Purple Fox attacks , along with indicators of compromise that will allow victims to identify signs of the worm’s presence.

Earlier in March, Kaspersky Lab experts detected a new malicious program stealing the power of Windows-based systems for mining the Monero cryptocurrency.

Leave a comment