Purple Fox Rootkit Now Obtains Worm-Spreading Capabilities

April 02, 2021 · 3 min read

Security analysts from Guardicore Labs have recently detected a new variant of the notorious Purple Fox rootkit, which now propagates as a worm across Windows machines. This latest malware upgrade results in a significant spike of Purple Fox infections, showing a 600% increase since spring 2020. This ongoing campaign relies heavily on port scanning and poorly secured SMB services, highlighting malware operator’s switch from exploit kit functions.

Purple Fox Rootkit Overview

Purple Fox is a fileless malware downloader enhanced with rootkit and backdoor capabilities. Since its emergence in 2018, the threat has been actively used by adversaries to deliver various Trojans, cryptominers, info-stealing strains, and ransomware samples. 

Initially, the malware relied mostly on well-known Microsoft exploits (CVE-2020-0674, CVE-2019-1458, CVE-2018-8120, CVE-2015-1701) and phishing emails for malware delivery. However, in May 2020, Purple Fox acquired worm-like capabilities to infect instances without any user interaction or additional tools. Now it can propagate across Windows systems via SMB brute-force and quickly infect thousands of devices. 

Upon infection, the malware leverages its rootkit module to hide malicious activity, drops additional malware to the host, and proceeds with its brute-force attempts. The Guardicore Labs report estimates that Purple Fox operators performed over 90,000 successful attacks by March 2021.

New Attack Kill Chain

The infection chain traditionally starts with a phishing email delivering a new worm-like Purple Fox strain disguised as a Windows Update package. In case users are tricked to launch the attached executable, a dedicated MSI installer downloads three payloads from a compromised Windows server to perform evasion, port scanning, and persistence functions. After code execution is achieved on the compromised host, the malware blocks ports 445, 139, 135 to prevent reinfection, generates IP ranges, and starts port 445 scans to identify vulnerable devices with SMB services exposed to the internet. If detected, Purple Fox performs an SMB brute-force attack to infect new devices and propagate further. 

Notably, security researchers identified almost 3,000 Microsoft servers compromised by Purple Fox to host its droppers and malicious executables. Most servers run outdated IIS version 7.5 and Microsoft FTP that reportedly have multiple security flaws.

Purple Fox Detection

To defend against the new version of Purple Fox malware, you can download a community Sigma rule developed by our eager Threat Bounty developer Osman Demir


The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix


Tactics: Persistence, Privilege Escalation

Techniques: New Service (T1050)

Subscribe to the Threat Detection Marketplace, a world-leading Detection as Code platform able to boost your cyber defense capabilities. Our SOC content library contains over 100K detection and response rules, parsers, search queries, and other content mapped to CVE and MITRE ATT&CK® frameworks so you can withstand the growing number of cyber-attacks. Keeping a close eye on the latest cybersecurity trends and want to participate in threat hunting activities? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts