Quote:A malware that has historically targeted exposed Windows machines through phishing and exploit kits has been retooled to add new “worm” capabilities.
Purple Fox, which first appeared in 2018, is an active malware campaign that until recently required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims’ systems on its own, according to new Tuesday research from Guardicore Labs.
“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs’ Amit Serper said.
In addition to these new worm capabilities, Purple Fox malware now also includes a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove, he said.
Researchers analyzed Purple Fox’s latest activity and found two significant changes to how attackers are propagating malware on Windows machines. The first is that the new worm payload executes after a victim machine is compromised through a vulnerable exposed service (such as SMB).
Purple Fox also is using a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability, researchers observed.
Once the worm infects a victim’s machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper.
Read more: Purple Fox Malware Targets Windows Machines With New Worm Capabilities | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
