fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Purple Fox Malware Worms Its Way Into Exposed Windows Systems

Purple Fox Malware Worms Its Way Into Exposed Windows Systems

Purple Fox, a malware previously distributed via exploit kits and phishing emails, has now added a worm module that allows it to scan for and infect Windows systems reachable over the Internet in ongoing attacks.

The malware comes with rootkit and backdoor capabilities, was first spotted in 2018 after infecting at least 30,000 devices, and is used as a downloader to deploy other malware strains.

Purple Fox’s exploit kit module has also targeted Windows systems in the past [12] to infect Windows users through their web browsers after exploiting memory corruption and elevation of privilege vulnerabilities.

Starting with May 2020, Purple Fox attacks have significantly intensified, reaching a total of 90,000 attacks and 600% more infections, according to Guardicore Labs security researchers Amit Serper and Ophir Harpaz.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

Image: Guardicore Labs

Internet-exposed Windows devices at risk

The malware’s active port scanning and exploitation attempts started at the end of last year based on telemetry collected using the Guardicore Global Sensors Network (GGSN).

After discovering an exposed Windows system while scanning for devices reachable over the Internet, Purple Fox’s newly added worm module uses SMB password brute force to infect it.

So far, Purple Fox has deployed its malware droppers and additional modules on an extensive network of bots, an army of almost 2,000 compromised servers, according to the Guardicore Labs report.

Devices ensnared in this botnet include Windows Server machines running IIS version 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

While Purple Fox’s new worm-like behavior allows it to infect servers by brute-forcing its way in via vulnerable Internet-exposed SMB services, it is also using phishing campaigns and web browser vulnerabilities to deploy its payloads.

“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns,” Serper and Harpaz said.

Purple Fox attack flow (Guardicore Labs)

Open-source rootkit used to gain persistence

Before restarting infected devices and gaining persistence, Purple Fox also install a rootkit module that uses the hidden open-source rootkit to hide dropped files and folders or Windows registry entries created on the infected systems.

After deploying the rootkit and rebooting the device, the malware will rename its DLL payload to match a Windows system DLL and will configure it to be launched on system start.

Once the malware is executed on system launch, each of the infected systems will subsequently exhibit same worm-like behavior, continuously scanning the Internet for other targets and attempting to compromise them and add them to the botnet.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

“As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute forcing usernames and passwords or by trying to establish a null session,” Guardicore Labs concludes.

“If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 (as mentioned before) that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop.”

Indicators of compromise (IOCs), including Purple Fox MSI drop sites and connect back servers, are available in this GitHub repository.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us