A newly-wormable Windows botnet is ballooning in size

[mood]

A newly-wormable Windows botnet is ballooning in size

 

Image Credits: Bryce Durbin / TechCrunch

 

Researchers say a botnet targeting Windows devices is rapidly growing in size, thanks to a new infection technique that allows the malware to spread from computer to computer.

 

The Purple Fox malware was first spotted in 2018 spreading through phishing emails and exploit kits, a way for threat groups to infect machines using existing security flaws.

 

But researchers Amit Serper and Ophir Harpaz at security firm Guardicore, which discovered and revealed the new infection effort in a new blog post, say the malware now targets internet-facing Windows computers with weak passwords, giving the malware a foothold to spread more rapidly.

 

The malware does this by trying to guess weak Windows user account passwords by targeting the server message block, or SMB — a component that lets Windows talk with other devices, like printers and file servers. Once the malware gains access to a vulnerable computer, it pulls a malicious payload from a network of close to 2,000 older and compromised Windows web servers and quietly installs a rootkit, keeping the malware persistently anchored to the computer while also making it much harder to be detected or removed.

 

Once infected, the malware then closes the ports in the firewall it used to infect the computer to begin with, likely to prevent reinfection or other threat groups hijacking the already-hacked computer, the researchers said.

 

The malware then generates a list of internet addresses and scans the internet for vulnerable devices with weak passwords to infect further, creating a growing network of ensnared devices.

 

Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel organizations with junk traffic with the aim of knocking them offline. But with control of these devices, criminal operators can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers.

 

But this kind of wormable botnet presents a greater risk as it spreads largely on its own.

 

Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort.

“The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of ‘set it and forget it’,” he said.

 

It appears to be working. Purple Fox infections have rocketed by 600% since May 2020, according to data from Guardicore’s own network of internet sensors. The actual number of infections is likely to be far higher, amounting to more than 90,000 infections in the past year.

 

Guardicore published indicators of compromise to help networks identify if they have been infected. The researchers do not know what the botnet will be used for but warned that its growing size presents a risk to organizations.

“We assume that this is laying the groundwork for something in the future,” said Serper.

 

 

Source: A newly-wormable Windows botnet is ballooning in size

[aum]

Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers

 

 

Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.

 

The ongoing campaign makes use of a "novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes," according to Guardicore researchers, who say the attacks have spiked by about 600% since May 2020.

 

A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021.

 

First discovered in March 2018, Purple Fox is distributed in the form of malicious ".msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.

 

Guardicore says Purple Fox hasn't changed much post-exploitation, but where it has is in its worm-like behavior, allowing the malware to spread more rapidly.

 

 

It achieves this by breaking into a victim machine through a vulnerable, exposed service such as server message block (SMB), leveraging the initial foothold to establish persistence, pull the payload from a network of Windows servers, and stealthily install the rootkit on the host.

 

Once infected, the malware blocks multiple ports (445, 139, and 135), likely in an attempt to "prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor," notes Amit Serper, Guardicore's new vice president of security research for North America.

 

In the next phase, Purple Fox commences its propagation process by generating IP ranges and scanning them on port 445, using the probes to single out vulnerable devices on the Internet with weak passwords and brute-forcing them to ensnare the machines into a botnet.

 

While botnets are often deployed by threat actors to launch denial-of-network attacks against websites with the goal of taking them offline, they can also be used to spread all kinds of malware, including file-encrypting ransomware, on the infected computers, although in this case, it's not immediately clear what the attackers are looking to achieve.

 

If anything, the new infection vector is another sign of criminal operators constantly retooling their malware distribution mechanism to cast a wide net and compromise as many machines as possible. Details about the indicators of compromise (IoCs) associated with the campaign can be accessed here.

 

Source