Purple Fox Malware Gang Expands Their Tool Belt with Perkiler, a Rootkit That Can Spread as a Worm
Outdated Microsoft Server products are now facing a threat from brute force attacks targeted at “Server Message Blocks” or SMBs conducted by the Purple Fox Malware Gang and their malware of choice, Perkiler. SMB is a file-sharing protocol that makes it possible for Windows systems connected to the same network or domain to share files.
Purple Fox first hit the scene in 2018, and until recently, required victim cooperation or a third-party tool to infect Windows devices. Recent changes, however, have seen the gang add new functionality that allows them to infect victims via brute-force attacks.
Purple Fox has been making headlines recently, as cybercriminals have added worm-like capabilities to their toolkit. They have been actively abusing SMBs via brute-force attacks to infect systems. This method has been used successfully before, and 2017’s infamous WannaCry ransomware attack also included functionality that targeted SMB vulnerabilities.
Perkiler also possesses a rootkit component that is used to mask malicious components’ existence and allows hackers to hide malware on the victim’s computer, making it harder to detect and remove.
Analyzing Purple Fox/Perkiler Attacks
Purple Fox’s worm payload begins to execute after the victim’s system is compromised via a vulnerable and exposed service, like the previously mentioned SMB. Notably, Purple Fox is also known to leverage phishing campaigns, sending the malware payload via email.
After the worm has infected the victim’s computer, a new service is created to establish persistence and execute a command that can iterate through a list of URLs that include the MSI – the Windows Installer package – for the installation of Purple Fox on a compromised machine.
The MSI installer launches by impersonating a Windows Update package that contains Chinese text, which translates to “Windows Update” and additional random letters. These letters are unique for every MSI installer. Eventually, malware payloads are extracted and decrypted, and the Windows Firewall is modified to prevent the infected machine from being exploited by a different threat actor, according to researchers.
As malware files are extracted and executed, a rootkit that hides registry keys and values, files, and other components is installed too. After this, the installer reboots the computer to execute malware and rename the malware dynamic link library (DLL) into a system DLL file to be executed as the computer restarts. Once malware is authenticated, it creates a service that downloads the MSI installation package from one of the many HTTP servers in use, which completes the infection loop.
Purple Fox was wreaking havoc in the Spring and Summer of 2020, with activity dropping off toward the end of that year before ramping up again in early 2021, and Perkiler is just the latest malware strain to be exploited by the gang. Unfortunately, it is unlikely to be the last infection retooled with worm capabilities. In the past, other malware strains, including the ones distributed by the Rocke Group and the Ryuk ransomware gangs, have also added self-propagation functionalities.