Purple Fox Malware is Back and More Dangerous

The Purple Fox malware, which was first discovered in 2018, is back with new capabilities, including a worm functionality that is allowing it to propagate quickly and is infecting thousands of servers.
 
The 2018 version of Purple Fox was distributed via exploit kits and phishing emails, but the latest version can scan for, and infect, vulnerable Windows systems connected to the Internet. Malware that uses an exploit kit is somewhat antiquated, but this new variant shows that exploit kits are still a cyber threat and should still be taken seriously.
 
Purple Fox was originally a fileless downloader malware that was delivered by the RIG exploit kit and infected around 30,000 systems. In 2019, it morphed and began to use Windows PowerShell to deliver and retrieve malware. Since January 2021, infection numbers have reached around 90,000 machines.
 
The primary purpose of Purple Fox is to find and distribute malware onto vulnerable systems, including Trojans, information stealers, and ransomware.  Initial infection is usually caused when a user visits a malicious site containing the Purple Fox exploit kit. If the user has unpatched vulnerabilities that Purple Fox exploits, the malware is downloaded while the user is on the malicious site. Traffic to malicious sites that download Purple Fox are usually driven by redirects from malicious advertisements and phishing emails.
 
So far, Purple Fox has created a botnet of almost 2,000 compromised servers, many of which are running Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP, servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.
 
The vulnerabilities the malware targets include CVE-2019-1458, which allows for local privilege elevation mobility in Windows, and CVE-2020-0674, an Internet Explorer vulnerability. Microsoft has patched these vulnerabilities.
 
Purple Fox malware can be prevented because it is caused by an unpatched system used to visit a malicious site. The easiest way to prevent Purple Fox and other cyber threats is to regularly update and patch your systems. If you believe you may have been compromised by Purple Fox, contact us.
 
MCPc is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like malware and cyber-attacks by providing industry-best cybersecurity services to prepare your organization to be cyber resilient. Our goal is to help every client secure their future with the highest degree of security and the least amount of risk.