The Computer Emergency Response Team in Ukraine is warning about a PurpleFox malware campaign that has infected at least 2,000 computers in the country.
The exact impact of this widespread infection and whether it has affected state organizations or regular people's computers hasn't been determined, but the agency has shared detailed information on how to locate infections and remove the malware.
PurpleFox is a modular Windows botnet malware first spotted in 2018 that comes with a rootkit module allowing it to hide and persist between device reboots.
It can be used as a downloader that introduces more potent second-stage payloads on compromised systems, offers its operators backdoor capabilities, and can also act as a distributed denial of service bot.
In October 2021, researchers noticed that new versions of PurpleFox switched to using WebSocket for command and control communications for stealth.
In January 2022, a campaign spread the malware under the guise of a Telegram desktop app.
CERT-UA used IoCs shared by Avast and TrendMicro to identify PurpleFox malware infections on Ukrainian computers, tracking the activity under the identifier 'UAC-0027.'.
CERT-UA says PurpleFox typically infects systems when victims launch laced MSI installers and highlights its self-propagation capabilities using exploits for known flaws and password brute-forcing.
The agency recommends isolating systems that run outdated OS versions and software using VLAN or physical network segmentation with incoming/outgoing filtering to prevent spreading.
CERT-UA monitored infected hosts between January 20 and 31, 2024, detecting 486 intermediate control server IP addresses, most of which are located in China.
CERT-UA notes that PurpleFox's removal is challenging due to its use of a rootkit, but there are still effective methods that can help detect and uproot the malware.
Verify the persistent execution of the malware, which uses services and stores files in specific directories, impeded by a rootkit from detection/removal.
Boot from LiveUSB or connect the infected drive to another computer.
Boot normally and remove the service from the registry.
To avoid re-infection from PurpleFox, which is very likely if there are still infected machines on the same network, enable the firewall on Windows and create a rule to block incoming traffic from ports 135, 137, 139, and 445.
Bigpanzi botnet infects 170,000 Android TV boxes with malware.
FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials.
QNAP VioStor NVR vulnerability actively exploited by malware botnet.
Stealthier version of P2Pinfect malware targets MIPS devices.
Hackers push USB malware payloads via news, media hosting sites.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 01 Feb 2024 19:10:09 +0000