The Purple Fox botnet operators changed the malware distribution method and began hacking Windows devices by brute-forcing the Server Message Block (SMB) password. This was reported by researchers at Guardicore.
– Guardicore has new research out on #PurpleFox (@Guardicore) March 23, 2021
The hacking campaign has been going on since 2018 and initially used exploit kits and phishing emails. The botnet acquired the properties of the worm only at the end of 2020.
Purple Fox scans ports and insecure SMB services with weak passwords and hashes and brute-force attacks. Having penetrated the victim’s computer, malware operators build a botnet, the main task of which is hidden cryptocurrency mining.
A rootkit makes it difficult to detect and remove malware.
Guardicore Labs has identified a vast network of compromised Microsoft IIS 7.5 servers that host dropper Purple Fox and its useful data.
Guardicore specialist Amit Serper has released detailed information on the Purple Fox attacks , along with indicators of compromise that will allow victims to identify signs of the worm’s presence.
Earlier in March, Kaspersky Lab experts detected a new malicious program stealing the power of Windows-based systems for mining the Monero cryptocurrency.