The Windows malware called Purple Fox Evolves with worm capabilities. Purple Fox in the past the malware targeted Windows machines through a various attack methods like phishing and exploits before the software was evolved.
Guardicore Labs revealed that Purple Fox can now breach windows machines through SMB Brute-Force attacks. The Purple Fox malware would compromise various IIS7.5 servers to push rootkit’s which would then allow Purple Fox to hide itself within the Windows machine.
Once the payload is deployed, an MSI installed launches.
“The installer pretends to be a Windows Update package along with Chinese text which roughly translates to ‘Windows Update’ and random letters,” which Guardicore Labs explained. “These letters are randomly generated between each different MSI installer to create a different hash and make it a bit difficult to tie between different versions of the same MSI.”
“This is a ‘cheap’ and simple way of evading various detection methods such as static signatures,” they continued. “We have [also] identified MSI packages with the same strings but with random null bytes appended to them in order to create different hashes of the same file.”
After the Windows Machine is restarted the malware will launch and start its propagation process generating IP’s on port 445. It will then scan the network and brute-force Windows SMB authentication.
There are many companies that are still running windows server and desktops with vulnerable SMB versions of SMBv1, SMBv2, and SMBv3 . It is important that you review what’s enabled on your network and take the proper measures.