Purple Fox malware can now spread between Windows devices

An origami purple fox on a wooden surface
(Image credit: Shutterstock)

A nasty malware strain affecting Windows machines, known as Purple Fox, has developed worm-like functionality that allows it to spread between devices on an automated basis.

Purple Fox was first discovered in March 2018 as a malware strain that infected devices by using exploit kits targeting Internet Explorer browsers, and sending phishing emails.

Researchers with Guardicore, however, have identified new worm-like capabilities in Purple Fox that allows it to self-propagate a rootkit between targeted machines.

The new campaign distributing Purple Fox, which has been running since the end of 2020, is based on a novel spreading technique combining indiscriminate port scanning and the exploitation of server message block (SMB) services with weak passwords.

To date, Guardicore’s researchers have identified 90,000 attacks, which amounts to a roughly 600% rise in the total number of infections since May 2020.

“While it appears that the functionality of Purple Fox hasn’t changed much post-exploitation, its spreading and distribution methods – and its worm-like behaviour – are much different than described in previously published articles,” said researcher Amit Serper.

“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.”

Purple Fox operates from a vast network of compromised servers that host its dropper and payload, the researchers also learned. The vast majority of these serving the initial payload are running on relatively old versions of Windows Server, running IIS version 7.5 and Microsoft FTP, both of which are known to have multiple vulnerabilities.

According to the findings, the wormable campaign can start spreading after a victim's machine is compromised through a vulnerable service, such as an SMB, or a payload is sent by email through a phishing campaign exploiting a browser vulnerability.

Once a machine is infected, the malware blocks several ports in order to prevent the infected machine from being reinfected or exploited by another malware strain.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


Purple Fox then generates IP ranges and scans them on port 445, using probes to identify exposed devices with weak passwords, and brute-forcing them to catch devices into a botnet.

Purple Fox has even been on the NHS’ radar, with NHS Digital warning about its capabilities for months. It warned healthcare organisations about the malware’s capacity to exploit privilege escalation vulnerabilities in October 2020, for example, while recently issuing a warning over its use of SMB brute-force attacks to automatically propagate.

To prevent infection, NHS Digital advises that secure configurations are applied to all devices and that security updates are applied as soon as they’re available. Organisations should also apply tamper protection settings in security products where available.

Users, furthermore, should apply multi-factor authentication (MFA) and lockout policies where practicable, while administrative accounts should only be restricted for strictly necessary purposes.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.