Purple Fox malware was already known for transmitting over phishing emails and exploit kits, but now the malware is updated and it includes a worm module that gives the power to infect the Windows system using the Internet.

This malware was first identified in 2018, as it infects about 30,000 devices and works as the downloaded that deploy other malware into the user’s system. This malware has the capabilities of rootkit and backdoor.

Purple Fox malware exploits module also caught when they targeted the Windows System and infect the users with the help of Web browsers and memory corruption that misuses the vulnerabilities present.

In May 2020, the malware is responsible for 90,000 attacks and it is 600% more dangerous than others.

How this Malware Used Using the Internet?

According to the investigation, the activated port of scanning and exploitation are attempts on last year and it is based on telemetry data that was collected using the GGSN systems.

Once the malware is discovered on the exposed Windows system, it scanned for the reachable devices available on the Internet. However, Purple Fox uses a newly updated worm module that occupies SMB password and brute force to infect it.

Whereas, Purple Fox is been deployed its malware droppers and other additional modules that work on the extensive network of bots and they have an army of around 2000 compromised servers.

Multiple Devices that ate induced in this botnet may deal with the Windows Server Machine that is executed on the IIS version of 7.5 and Microsoft FTP, it also includes the Microsoft SQL Server 2008 R2 and Microsoft HTTP API httpd2.0, and Microsoft Terminal Service.

This updated malware Purple Fox adopted worm-like behavior that permits the attackers to infect the servers by brute-forcing it and make it vulnerable Internet that exposed SMB services and it also used the phishing campaign and web browser vulnerabilities that deploy the payloads.

According to the research, the infrastructure used makes the vulnerabilities Hodge-podge and exploited the server that hosts the initial payloads of the malware which further infects the machines which are using the server as a node of worming campaigns and these server infrastructures are appears and related to the other malware campaigns.

How this Malware Works?

The malware is executed before infecting the devices and obtaining the persistence, this Purple Fox malware also downloads the rootkit module that accesses the hidden open-source rootkit applications and dropped files and folders while creating the Windows registry and infecting the systems.

Once the malware is started deploying the rootkit and rebooting the device, it will automatically rename the DLL file that matched the Windows system DLL and will configure the system at the time of launching.

The malware is executed into the system launch and each time it will infect the system, it uses the subsequent behavior of worm that continuously scanned the Internet and other targets that attempts while compromising it and add the botnet.

As the machine sends the response to the SMB probes that it will automatically be sent it using port 445 and it will also authenticate the SMB by bruting and forcing the usernames and password or it also executed the null sessions.

In case the authentication is successful then the malware will create a service that is the same as the name that matches with the regex ACo[0-9]{1} and AC01, AC02, AC05 and it will start downloading the MSI installation package from the HTTP servers and it will complete the infection loop.