Security researchers have discovered that an old Windows malware has adapted a new attack vector to infect machines at an alarming rate.
Amit Serper and Ophir Harpaz from security specialists Guardicore spotted the Purple Fox malware exhibiting the new trait in an ongoing campaign.
“While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described,” share the researchers as they break down the malware in a blog post.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Worst is still to come
The researchers note that the Purple Fox malware campaign was first discovered in March 2018, and attacked the Internet Explorer web browser with various privilege escalation exploits that were usually passed along in phishing emails.
However, around the end of last year, the researchers observed the malware actively scanning and brute forcing its way into Internet-connected Windows machines. The new technique proved to be highly effective and the duo observed that the number of infected machines balloon by 600% in under a year.
The researchers believe the individuals behind the campaign have repurposed about two thousand Windows servers for the attacks. These servers are running relatively old versions of the IIS web server and Microsoft FTP with known exploitable vulnerabilities. Once the malware cracks the password, it connects with one of the compromised servers to fetch and install a rootkit to evade detection.
What makes the campaign really dangerous, besides its very effective attack vector, is the fact that the researchers aren’t sure about its intentions. “We assume that this is laying the groundwork for something in the future,” said one of the researchers speaking to TechCrunch.