The Computer Emergency Response Team in Ukraine (CERT-UA) has issued a warning about a PurpleFox malware campaign that has impacted over 2,000 computers in the country. PurpleFox, also known as ‘DirtyMoe,’ is a modular Windows botnet malware initially detected in 2018, equipped with a rootkit module for stealth and persistence. It operates as a downloader, introducing potent second-stage payloads, providing backdoor capabilities, and serving as a distributed denial of service (DDoS) bot. The malware evolved in October 2021, using WebSocket for command and control (C2) communications and, in January 2022, disguising itself as a Telegram desktop app.
CERT-UA, using indicators of compromise (IoCs) from Avast and TrendMicro, identified PurpleFox infections on Ukrainian computers, emphasizing its self-propagation capabilities through infected MSI installers and exploiting known flaws or password brute-forcing. The agency recommends isolating systems with outdated OS versions and software and implementing network segmentation to prevent further spread. CERT-UA monitored infected hosts between January 20 and 31, 2024, detecting 486 intermediate control server IP addresses, primarily located in China. Removal of PurpleFox is challenging due to its rootkit use, but CERT-UA provides methods for detection and mitigation, including using Avast Free AV or manual removal steps.
To discover PurpleFox infections, users are advised to examine network connections, check specific registry values, analyze Event Viewer logs, and verify certain directories for suspicious files. If an infection is detected, CERT-UA suggests using Avast Free AV for a comprehensive scan or performing manual removal steps involving booting from LiveUSB, deleting malicious modules, and cleaning the system partition. Additionally, to avoid re-infection, users are instructed to enable the Windows firewall and block incoming traffic from specific ports. devices.
