Cyber security news for all

More

    PurpleFox malware infects thousands of computers in Ukraine

    The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning regarding a PurpleFox malware campaign that has impacted over 2,000 computers in the country. The full extent of the infection’s impact on state organizations or individual users remains unclear. However, CERT-UA has provided detailed information on identifying and removing the malware.

    PurpleFox, also known as ‘DirtyMoe,’ is a modular Windows botnet malware discovered in 2018. It incorporates a rootkit module, enabling it to conceal itself and persist through device reboots. The malware functions as a downloader, introducing more potent second-stage payloads on compromised systems, granting backdoor capabilities to operators, and potentially acting as a distributed denial of service (DDoS) bot.

    In October 2021, PurpleFox adopted the use of WebSocket for command and control (C2) communications to enhance stealth. Subsequently, in January 2022, a campaign distributed the malware disguised as a Telegram desktop app.

    The identification of PurpleFox infections in Ukraine, tracked as ‘UAC-0027,’ utilized Indicators of Compromise (IoCs) shared by Avast and TrendMicro. CERT-UA conducted an in-depth analysis, uncovering more than 2,000 infected computers in the Ukrainian internet segment. The malware commonly infiltrates systems when victims launch compromised MSI installers and leverages self-propagation capabilities through exploits or password brute-forcing.

    To curb the spread, CERT-UA recommends isolating systems with outdated operating systems and software, utilizing VLAN or physical network segmentation with incoming/outgoing filtering. Monitoring infected hosts from January 20 to 31, 2024, CERT-UA identified 486 intermediate control server IP addresses, predominantly located in China.

    Removing PurpleFox proves challenging due to its use of a rootkit; however, CERT-UA suggests effective methods for detection and removal of the malware.

    Recent Articles

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox

    [tdn_block_newsletter_subscribe input_placeholder="Email address" btn_text="Subscribe" tds_newsletter2-image="730" tds_newsletter2-image_bg_color="#c3ecff" tds_newsletter3-input_bar_display="" tds_newsletter4-image="731" tds_newsletter4-image_bg_color="#fffbcf" tds_newsletter4-btn_bg_color="#f3b700" tds_newsletter4-check_accent="#f3b700" tds_newsletter5-tdicon="tdc-font-fa tdc-font-fa-envelope-o" tds_newsletter5-btn_bg_color="#000000" tds_newsletter5-btn_bg_color_hover="#4db2ec" tds_newsletter5-check_accent="#000000" tds_newsletter6-input_bar_display="row" tds_newsletter6-btn_bg_color="#da1414" tds_newsletter6-check_accent="#da1414" tds_newsletter7-image="732" tds_newsletter7-btn_bg_color="#1c69ad" tds_newsletter7-check_accent="#1c69ad" tds_newsletter7-f_title_font_size="20" tds_newsletter7-f_title_font_line_height="28px" tds_newsletter8-input_bar_display="row" tds_newsletter8-btn_bg_color="#00649e" tds_newsletter8-btn_bg_color_hover="#21709e" tds_newsletter8-check_accent="#00649e" embedded_form_code="YWN0aW9uJTNEJTIybGlzdC1tYW5hZ2UuY29tJTJGc3Vic2NyaWJlJTIy" tds_newsletter="tds_newsletter1" tds_newsletter3-all_border_width="2" tds_newsletter3-all_border_color="#e6e6e6" tdc_css="eyJhbGwiOnsibWFyZ2luLWJvdHRvbSI6IjAiLCJib3JkZXItY29sb3IiOiIjZTZlNmU2IiwiZGlzcGxheSI6IiJ9fQ==" tds_newsletter1-btn_bg_color="#0d42a2" tds_newsletter1-f_btn_font_family="406" tds_newsletter1-f_btn_font_transform="uppercase" tds_newsletter1-f_btn_font_weight="800" tds_newsletter1-f_btn_font_spacing="1" tds_newsletter1-f_input_font_line_height="eyJhbGwiOiIzIiwicG9ydHJhaXQiOiIyLjYiLCJsYW5kc2NhcGUiOiIyLjgifQ==" tds_newsletter1-f_input_font_family="406" tds_newsletter1-f_input_font_size="eyJhbGwiOiIxMyIsImxhbmRzY2FwZSI6IjEyIiwicG9ydHJhaXQiOiIxMSIsInBob25lIjoiMTMifQ==" tds_newsletter1-input_bg_color="#fcfcfc" tds_newsletter1-input_border_size="0" tds_newsletter1-f_btn_font_size="eyJsYW5kc2NhcGUiOiIxMiIsInBvcnRyYWl0IjoiMTEiLCJhbGwiOiIxMyJ9" content_align_horizontal="content-horiz-center"]