A 2018 Malware is Using a New Approach to Infect Windows Devices
Note: We may earn a commission from products or services when you click on a link and make a purchase.
What is Purple Fox?
Purple Fox is a malware first discovered in 2018. Targeting Windows machines, Purple Fox used exploit kits and phishing emails to infect targets. Exploit kits gather information on the victim machine, detects vulnerabilities and uses this information to determine the appropriate approach for delivering and deploying the malware.
New Attack Method
Now, Purple Fox has re-emerged with a new infection vector, where breaches are occurring through SMB passwords without user interaction. This is troubling because this means that regardless of individual caution when opening emails from unfamiliar sources, malicious parties are still able to infect devices. This approach was used in last year’s Banco BCR ransomware attack, with claims that payment card information had been stolen.
READ Where Are My Saved Passwords in Chrome?
Guardicore Labs have identified Purple Fox’s network of compromised servers hosting payloads, which appear to be Microsoft IIS 7.5 servers. The malware includes a rootkit which makes it difficult to detect and remove the malware as it hides on the machine it is infecting. This is made possible by utilizing weak passwords used over the SMB (Server Message Block) protocol.
SMB is used by Windows computers to communicate with other network devices (i.e. printers, file servers, etc.). Active Directory users also use the SMB protocol with their Active Directory password. Common passwords used by Purple Fox include, but are not limited to, the following:
- 123
- Aa123456
- password
- 1qaz2wsx
- 12345678
- a123456
- password1
- abc123
- 111111111
- welcome
- 1234567890
- 111111
- 654321
- 123456789a
- princess
- 1q2w3e4r
- 888888
- dragon
- 112233
- iloveyou
SEE ALSO The Most Common Hacked Passwords
While Purple Fox’s prior methods (phishing and exploit kits) require some user interaction to initiate, the new SMB attack method does not require this interaction. These brute force attacks are versatile, and they would make accounts with reused passwords easy targets.
A Warning to the General Public
It is easy to forget new passwords, and people often use the same password across multiple online accounts, especially for accounts that may not necessarily be directly connected to financial or otherwise “important accounts.” However, using the same password more than once on different sites opens individuals up for these attacks. If one site is breached and users’ passwords are stolen, it would be easy work for threat actors to run the same passwords through other popular websites to steal personal information which can then be used in other phishing or hacking campaigns.
A reliable password app will help create and store unique passwords for all online accounts.
SEE ALSO Top 9 Cyber Threats for Businesses
Personal information is used to bypass multi-factor authentication processes which are used for more secure accounts such as banking or government assistance. It is also used to reset passwords and set up multi-factor authentication processes which would lock individuals out of their attacks.
It is common to save passwords onto our browsers and reuse easily remembered passwords, but as attackers get more creative with their approaches, it becomes more important to create random, strong passwords for each account and avoid the most common passwords used across the board.
