Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.
The ongoing campaign makes use of a “novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” according to Guardicore researchers, who say the attacks have spiked by about 600% since May 2020.
A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021.
First discovered in March 2018, Purple Fox is distributed in the form of malicious “.msi” payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.
Guardicore says Purple Fox hasn’t changed much post-exploitation, but where it has is in its worm-like behavior, allowing the malware to spread more rapidly.
It achieves this by breaking into a victim machine through a vulnerable, exposed service such as server message block (SMB),…