The new capabilities of the malware have resulted in a rapid increase in the rate of infection. An improved variant of the Purple Fox malware, with automatic worm-like capabilities, is being deployed in a rapidly growing campaign of attacks.

Number of attacks is estimated at 90,000

Purple Fox , first discovered in 2018, is malware that previously relied on exploit kits and phishing emails to spread. However, a new campaign detected several weeks ago revealed a new method of spread leading to a high number of infections.
In a blog post on Tuesday , Guardicore Labs explains that Purple Fox is now spreading through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes."
Based on its Guardicore Global Sensors Network ( GGSN ) telemetry figures , the company estimates Purple Fox's business began to climb in May 2020. Although there was a lull between November 2020 and January 2021, researchers say the overall number of infections has increased by around 600% and the total number of attacks is currently estimated at 90,000.

2,000 servers hijacked

The malware targets Microsoft Windows machines and reuses compromised systems to host the malware.
According to Guardicore Labs, a "patchwork of vulnerable and exploited servers" harbors the initial malware payload. The majority of affected servers are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP.
The infection is spread through internet services containing vulnerabilities, such as SMB, browser vulnerabilities exploited through phishing, brute force attacks or deployment via rootkits.
As of today, nearly 2,000 servers have been hijacked by botnet operators Purple Fox.

Simple and inexpensive method

Guardicore Labs researchers claim that once attackers manage to execute code on the targeted machine, they are able to persist on infected devices by creating a new service that loops commands and extracts payloads from Purple Fox malicious URLs.
The malware's MSI installer masquerades as a Windows Update with different hashes, a feature the team calls a "cheap and easy" way to prevent investigators from linking the different malware infections.
Three malicious payloads are then extracted and decrypted. The first is to alter the capabilities of the Windows Firewall and filters are created to block a number of ports - potentially in an effort to prevent the vulnerable server from being re-infected with other malware.

Purple Fox is loaded into a system DLL

An IPv6 interface is also installed for port scanning purposes and to "maximize dispatch efficiency over IPv6 (usually unmonitored) subnets," the team notes, before loading a rootkit and restarting the target machine.
Purple Fox is loaded into a system DLL to be executed at startup. Purple Fox will then generate ranges of IP addresses and begin scanning on port 445 to propagate. "When the machine responds to the SMB probe sent on port 445, it will try to authenticate to SMB by attempting a brute force attack on usernames and passwords or by trying to establish a session zero, ”say the researchers.
The malware has already adopted steganography to hide its local elevation of privilege executables in previous attacks. Indicators of Compromise (IoC) have been shared on GitHub .