Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

Blog

A New Windows Wormable Botnet Is Growing

pfox-graph-watermark
Cybersecurity

A New Windows Wormable Botnet Is Growing

A new botnet has recently been targeting Microsoft Windows devices – and it is rapidly growing in size, according to researchers. The new infection technique allows the malware to spread from computer to computer.

History of Purple Fox

First spotted in 2018, the malware is called “Purple Fox”, and spreads itself through phishing emails and exploit kits. The malware makes it possible for threat groups to infect machines using existing security flaws.

Researchers Amit Serper and Ophir Harpaz from security firm Guardicore identified the malware in a blog post. According to Serper and Harpaz, the malware targets internet-facing computers with weak passwords running Microsoft Windows.

How Does Purple Fox Malware Work?

Purple Fox malware attempts to guess passwords by targeting the SMB (Server Message Block) component of Microsoft Windows. The SMB protocol is a highly used and highly exploitable protocol when left unprotected. This protocol allows Windows machines to communicate with other network devices like printers and servers. Once the malware can access the computer, it will download its payload from a network of already compromised Windows computers exposed to the internet. The then downloads a rootkit silently in the background and installs it on the target machine. The Purple Fox malware is difficult to be detected or removed from the affected system.

After infecting the target machine, the malware closes all firewall ports it used to infect the computer. According to the researchers, this maneuver prevents reinfection and other software or threat actors from hijacking the already hijacked computer.

Once the Purple Fox malware has a machine infected, it will generate a list of internet IP addresses. It will scan the internet for other vulnerable devices with weak passwords. By infecting additional computers, Purple Fox will create a growing network of infected machines.

Botnets are networks of thousands of hacked devices used by criminal operators and are used to launch attacks against organizations. The attacks are typically denial-of-network/denial-of-service attacks to knock these networks offline. Botnets deploy malware and spam or file-encrypting ransomware on infected computers.

The danger with the Purple Fox malware is that it spreads mainly on its own.

Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort.

“The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of set it and forget it,” he said.

The malware appears to be working. Infections of Purple Fox have skyrocketed by 600% since May 2020, according to data from Guardicore’s network of internet sensors. The actual number of infections is likely to be much higher, potentially 90,000 infections over the past year.

Guardicore has published compromise indicators to assist network owners in determining whether or not they are infected. The researchers do not know what the botnet will eventually be used for; however, its growing size presents a risk to organizations.

“We assume that this is laying the groundwork for something in the future,” said Serper.