skout-blog

Cybersecurity Threat Advisory 0018-21: Purple Fox Rootkit

Threat Update

The Purple Fox rootkit has recently improved propagation capabilities which makes it easier to spread through a network. This could make it easier for threat actors to steal data from or potentially infect compromised machines with other types of malware, such as ransomware. Malicious actors could also utilize these machines to establish persistence in one network and/or attack other networks. SKOUT recommends deploying advanced endpoint protection to protect against Purple Fox.

Technical Detail & Additional Information

WHAT IS THE THREAT?

Attacks with the Purple Fox rootkit has spiked about 600% since May, spreading through malicious .msi executables found in phishing emails. The new propagation capabilities take advantage of the SMB protocol using ports 445, 139, and 135. Once one machine is infected within the network, the rootkit attempts to infect other machines by brute-forcing passwords and hashes to pull them into a botnet. Organizations with weak policies will risk allowing this rootkit to spread through their network if one of their machines are infected.

WHY IS IT NOTEWORTHY?

This rootkit can spread rapidly through a network and lead to confidential information being leaked. The latest update of this malware shows that operators are making advances to compromise many machines. Due to the increased rate of infection and the high volume of incidents, organizations should be on the lookout and be wary of any infections.

WHAT IS THE EXPOSURE OR RISK?

After infection, the operators of the Purple Fox rootkit may utilize it to perform other attacks. The threat actors may steal sensitive data such as passwords, banking, or credit card information. They may also utilize the rootkit to spread ransomware within the network to encrypt your data, or attack and infect other networks. Depending on the methods used by the attackers, they may gain access to extremely sensitive information, or possibly even hurt a business to the point where they cannot operate.

WHAT ARE THE RECOMMENDATIONS?

To prevent infection, SKOUT recommends the following:

  • Deploy advanced endpoint-protection throughout your network and ensure the agents are updated.
  • Ensure vulnerable services such as SMB are not exposed to the internet.
  • Perform end user training to be wary of emails that may contain malicious links or attachments.
  • Implement email protection to defend against phishing attacks.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.