The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning regarding a PurpleFox malware campaign that has impacted over 2,000 computers in the country. The full extent of the infection’s impact on state organizations or individual users remains unclear. However, CERT-UA has provided detailed information on identifying and removing the malware.
PurpleFox, also known as ‘DirtyMoe,’ is a modular Windows botnet malware discovered in 2018. It incorporates a rootkit module, enabling it to conceal itself and persist through device reboots. The malware functions as a downloader, introducing more potent second-stage payloads on compromised systems, granting backdoor capabilities to operators, and potentially acting as a distributed denial of service (DDoS) bot.
In October 2021, PurpleFox adopted the use of WebSocket for command and control (C2) communications to enhance stealth. Subsequently, in January 2022, a campaign distributed the malware disguised as a Telegram desktop app.
The identification of PurpleFox infections in Ukraine, tracked as ‘UAC-0027,’ utilized Indicators of Compromise (IoCs) shared by Avast and TrendMicro. CERT-UA conducted an in-depth analysis, uncovering more than 2,000 infected computers in the Ukrainian internet segment. The malware commonly infiltrates systems when victims launch compromised MSI installers and leverages self-propagation capabilities through exploits or password brute-forcing.
To curb the spread, CERT-UA recommends isolating systems with outdated operating systems and software, utilizing VLAN or physical network segmentation with incoming/outgoing filtering. Monitoring infected hosts from January 20 to 31, 2024, CERT-UA identified 486 intermediate control server IP addresses, predominantly located in China.
Removing PurpleFox proves challenging due to its use of a rootkit; however, CERT-UA suggests effective methods for detection and removal of the malware.