<style>/*<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3589136026507255572&zx=eade4ae4-2c1e-4ba4-b308-2df48e9fbda9' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3589136026507255572&zx=eade4ae4-2c1e-4ba4-b308-2df48e9fbda9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2831139136270004&host=ca-host-pub-1556223355139109" crossorigin="anonymous"></script>

<!-- data-ad-client=ca-pub-2831139136270004 -->

<link rel="stylesheet" href="https://fonts.googleapis.com/css2?display=swap&family=Roboto&family=Open+Sans&family=Consolas&family=Source+Sans+Pro&family=Raleway"></head><body>*/</style>

Purple Fox Malware targets Windows by Worms

purplefox malware, purplefox malware analysis

A new Purple Fox Malware infection vector puts Windows systems, facing the Internet at risk from the brute effect of SMB passwords.

This Malware targets Windows devices through phishing , to add new "worm" capabilities.

Purple Fox Malware History

Purple Fox Malware, last appeared in 2018, recently required user interaction, or some kind of third-party tool to infect Windows by adding new functionality, that can brute force its way into victims’ Pcs automatically.

Purple Fox Malware Tactics

The new infection, can be breached through SMB password brute force, also includes a rootkit that allows to hide the malware in the system, and make it difficult to detect and remove.

Once the worm infects a victim’s Pc, will create a new service that managed by some URLs.

Purple Fox using a previous tactic to infect machines with malware through a phishing campaign, by sending the payload via email to exploit a browser vulnerability.

Once the MSI installer package is executed, it will launch by impersonating a Windows Update package along with Chinese text. These Chinese letters are randomly generated between each different MSI installer to create a different hash, and make it difficult to create links between different versions of the same MSI.

the installer will extract the payloads and decrypt them from Chinese letters within the MSI package.

This process will include modifying the Windows firewall, in such a way as to prevent the infected machine from being re infected, or to be exploited by a different threat actor.

Video to watch

<style>/*
<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/3576124627-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY76GbTKgJ8efeXr9LDM6OqOcS-0LQ:1726922444327';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d3589136026507255572','//mango-school.blogspot.com/2021/03/purple-fox-malware-targets-windows-by.html','3589136026507255572');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '3589136026507255572', 'title': 'Mango School for Information Technology and Cyber Security', 'url': 'https://mango-school.blogspot.com/2021/03/purple-fox-malware-targets-windows-by.html', 'canonicalUrl': 'https://mango-school.blogspot.com/2021/03/purple-fox-malware-targets-windows-by.html', 'homepageUrl': 'https://mango-school.blogspot.com/', 'searchUrl': 'https://mango-school.blogspot.com/search', 'canonicalHomepageUrl': 'https://mango-school.blogspot.com/', 'blogspotFaviconUrl': 'https://mango-school.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - RSS\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/3589136026507255572/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/3681698960325599721/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseClientId': 'ca-pub-2831139136270004', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': true, 'adsenseAutoAds': true, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/bea942728df245a5', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': true, 'jumpLinkMessage': 'Read-more \xbb', 'pageType': 'item', 'postId': '3681698960325599721', 'postImageThumbnailUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtx7lEvlTeYXl9fKI51vtAmwRqD_kGvbYP0KtZceriRKmYruVAB2_zTKH9iKx3sQMYbVlTG3Va66QMtPTFwhSwrh-NNc3V-16zTpHAOdZGtJyYRDOO2fC7rY8VMV4SxpfESV2u4ohJFNa0/s72-w320-c-h211/purple+fox+malware.png', 'postImageUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtx7lEvlTeYXl9fKI51vtAmwRqD_kGvbYP0KtZceriRKmYruVAB2_zTKH9iKx3sQMYbVlTG3Va66QMtPTFwhSwrh-NNc3V-16zTpHAOdZGtJyYRDOO2fC7rY8VMV4SxpfESV2u4ohJFNa0/w320-h211/purple+fox+malware.png', 'pageName': 'Purple Fox Malware targets Windows by Worms', 'pageTitle': 'Mango School for Information Technology and Cyber Security: Purple Fox Malware targets Windows by Worms', 'metaDescription': 'Purple Fox Malware infection vector puts Windows systems, facing the Internet at risk from the brute effect of SMB passwords'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Purple Fox Malware targets Windows by Worms', 'description': 'Purple Fox Malware infection vector puts Windows systems, facing the Internet at risk from the brute effect of SMB passwords', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtx7lEvlTeYXl9fKI51vtAmwRqD_kGvbYP0KtZceriRKmYruVAB2_zTKH9iKx3sQMYbVlTG3Va66QMtPTFwhSwrh-NNc3V-16zTpHAOdZGtJyYRDOO2fC7rY8VMV4SxpfESV2u4ohJFNa0/w320-h211/purple+fox+malware.png', 'url': 'https://mango-school.blogspot.com/2021/03/purple-fox-malware-targets-windows-by.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3681698960325599721}}, {'name': 'widgets', 'data': [{'title': 'Logo', 'type': 'HTML', 'sectionId': 'header-main', 'id': 'HTML10'}, {'title': 'Icons, Dark, Search', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList10'}, {'title': 'Menu', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList11'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'blog-post', 'id': 'Blog1', 'posts': [{'id': '3681698960325599721', 'title': 'Purple Fox Malware targets Windows by Worms', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtx7lEvlTeYXl9fKI51vtAmwRqD_kGvbYP0KtZceriRKmYruVAB2_zTKH9iKx3sQMYbVlTG3Va66QMtPTFwhSwrh-NNc3V-16zTpHAOdZGtJyYRDOO2fC7rY8VMV4SxpfESV2u4ohJFNa0/w320-h211/purple+fox+malware.png', 'showInlineAds': false}], 'footerBylines': [{'regionName': 'footer1', 'items': [{'name': 'share', 'label': ''}]}], 'allBylineItems': [{'name': 'share', 'label': ''}]}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar-static', 'id': 'PopularPosts10', 'posts': [{'title': 'Gujd file ransomware virus Removal Decrypt', 'id': 5638591793488345148}, {'title': 'Zzla file ransomware virus Removal Decrypt', 'id': 9089289928437659324}, {'title': 'How to recover deleted WhatsApp messages', 'id': 8893834197053935343}, {'title': 'USA bans Kaspersky - What are the reasons?', 'id': 8464110779646215258}, {'title': 'Received Toll Bay Area FasTrak Text', 'id': 6688816003895425899}]}, {'title': '#Recent Post', 'type': 'HTML', 'sectionId': 'sidebar-static', 'id': 'HTML19'}, {'title': 'Follow Mango school', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList14'}, {'title': 'Copyright', 'type': 'HTML', 'sectionId': 'copyright', 'id': 'HTML23'}, {'title': 'SVG Icons', 'type': 'HTML', 'sectionId': 'jet-options', 'id': 'HTML24'}]}]);
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML10', 'header-main', document.getElementById('HTML10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList10', 'header-main', document.getElementById('LinkList10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList11', 'header-main', document.getElementById('LinkList11'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'blog-post', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/128363787-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts10', 'sidebar-static', document.getElementById('PopularPosts10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML19', 'sidebar-static', document.getElementById('HTML19'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList14', 'footer-widget', document.getElementById('LinkList14'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML23', 'copyright', document.getElementById('HTML23'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML24', 'jet-options', document.getElementById('HTML24'), {}, 'displayModeFull'));
</script>
</body>*/</style>