Purple Fox, a Windows-based exploit kit, has now been upgraded with a worm module that infects all the Windows systems reachable over the internet. The malware has rootkit and backdoor capabilities and is used as a downloader to spread other malware strains. It was first spotted in 2018 when it infected 30,000 devices.

What is happening?

According to security researchers from Guardicore Labs, Purple Fox-based attacks have increased significantly since May 2020, and reached a total of 90,000 attacks by March 2021, showing a whopping 600% increase in infections.
  • The malware scans the internet for any vulnerable Windows machines and after identifying an exposed Windows system, the worm module uses SMB password brute-force to infect it.
  • In addition, Purple Fox uses phishing campaigns and web browser vulnerabilities to deploy its payloads. So far, it has deployed its malware droppers and other modules on a network of bots.
  • Devices added in its network of bots include Windows machines running Windows IIS version 7.5, Microsoft FTP, Microsoft RPC, Microsoft Server SQL Server 2008 R2, Microsoft HTTPAPI/2.0, and Microsoft Terminal Service.

Establishing persistence

Just before restarting the infected devices, the exploit installs a rootkit module using an open-source rootkit named as hidden. This hidden rootkit can hide dropped files, folders, or registry entries created on infected Windows systems. 
After deploying the rootkit, the malware renames its DLL payload to match a Windows system DLL and configure it to launch at system startup.
Once the malware is executed on system launch, each infected system exhibits the same worm-like behavior.
It sends an SMB probe to other accessible machines and tries to brute-force the responding machines to gain access. 


Purple Fox leaves a small footprint, abuses legitimate tools, and uses DLL injection to stay ahead in its games. This shows how cybercriminals are getting smarter in using a multilayered approach, along with using living-off-the-land tactics, to keep moving across networks without leaving trails.

Cyware Publisher