Article Details

PurpleFox malware infected thousands of systems in Ukraine. The Computer Emergency Response Team in Ukraine (CERT-UA) is warning about a PurpleFox malware campaign that has infected at least 2,000 computers in the country. The exact impact of this widespread infection and whether it has affected state organizations or regular people's computers hasn't been determined, but the agency has shared detailed information on how to locate infections and remove the malware. PurpleFox (or 'DirtyMoe') is a modular Windows botnet malware first spotted in 2018 that comes with a rootkit module allowing it to hide and persist between device reboots. It can be used as a downloader that introduces more potent second-stage payloads on compromised systems, offers its operators backdoor capabilities, and can also act as a distributed denial of service (DDoS) bot. In October 2021, researchers noticed that new versions of PurpleFox switched to using WebSocket for command and control (C2) communications for stealth. In January 2022, a campaign spread the malware under the guise of a Telegram desktop app. Ukrainian infection wave CERT-UA used IoCs shared by Avast and TrendMicro to identify PurpleFox malware infections on Ukrainian computers, tracking the activity under the identifier 'UAC-0027.' "In the process of a detailed study of the cyber threat, research was conducted on the samples of malicious software received, the characteristics of the operating infrastructure of the control servers were identified, and more than 2000 infected computers in the Ukrainian segment of the internet were discovered," explains CERT-UA in a machine-translated security warning. CERT-UA says PurpleFox typically infects systems when victims launch laced MSI installers and highlights its self-propagation capabilities using exploits for known flaws and password brute-forcing. The agency recommends isolating systems that run outdated OS versions and software using VLAN or physical network segmentation with incoming/outgoing filtering to prevent spreading. CERT-UA monitored infected hosts between January 20 and 31, 2024, detecting 486 intermediate control server IP addresses, most of which are located in China. CERT-UA notes that PurpleFox's removal is challenging due to its use of a rootkit, but there are still effective methods that can help detect and uproot the malware. First, to discover PurpleFox infections, users are recommended to do the following: If any of the above indicates PurpleFox infection, CERT-UA suggests either using Avast Free AV to run a "SMART" scan and remote all modules or perform the following steps: For disk operations: After cleaning, to avoid re-infection from PurpleFox, which is very likely if there are still infected machines on the same network, enable the firewall on Windows and create a rule to block incoming traffic from ports 135, 137, 139, and 445.