PurpleWave
PurpleWave is spyware that collects confidential information, such as passwords, from infected Windows PCs. This threat also may download other threats and includes configuration options that can vary its attacks in different scenarios. Users should maintain careful Web-browsing practices for minimizing infection opportunities and have anti-malware products present for finding, blocking or deleting PurpleWave.
A Wave of Data Theft Incoming from All Angles
Another information collector is selling on the dark Web, with Russian domains providing advertising for a rental service that offers general-purpose 'hacking' attacks. PurpleWave, a fairly-traditional piece of spyware, is compatible with most Windows OS versions and provides broad-purpose functionality for finding and taking data that doesn't belong to the hacker. Because it's available for sale with optional long-term support, PurpleWave's infection vectors and campaigns could be numerous and flexible.
A remarkable aspect of the business side of PurpleWave is that its author is opting for numbers of clients over quality, and sells access to the spyware for under seventy USD. Threat actors taking up the developer on the bargain can configure PurpleWave for multiple attacks, some of which are module-based. More specifically, PurpleWave exfiltrates (or collects and uploads) information such as passwords, cookies, autofill form data, browser history, and other content from Chrome (and other Chromium offshoots), Firefox, Steam and Telegram.
Some of the optional features are more specialized than others. For example, PurpleWave includes a .NET Framework module that collects Electrum cryptocurrency wallet data. It also may take screenshots that it saves in a PNG format, and search for files of attacker-specified formats and locations. PurpleWave also can serve as a Trojan downloader by installing other threats, in general, besides the modular ones that upgrade its scope.
Stopping a PC from Seeing Purple
In some ways, PurpleWave isn't overly sophisticated. It uses conventional Http POST requests for transferring data, requires a direct C&C connection for the exfiltration, and uses a bog-standard Registry Mutex for guaranteeing a singular instance of the spyware. However, like most spyware, PurpleWave doesn't show symptoms – besides a specific one, under the control of the threat actor – and may make off with valuable passwords and other information before the user realizes there's an infection.
PurpleWave's one symptom is an initialization-based pop-up. The Windows alert is configurable by the attacker, like most of PurpleWave's features. By default, it shows a Russian-language Windows error about damaged hardware. Different campaigns may change the text to support disguises such as errors reading documents or update installation failures.
All users should stay alert to threatening download resources that might harbor PurpleWave drive-by-downloads, such as torrents and unofficial software or media websites. Users also can strengthen their system's security by installing updates regularly and avoiding passwords that are weak and, therefore, at risk from a brute-force attack.
Reliable companies' anti-malware programs should block a wide range of threat-downloading exploits and quarantining or outright removing PurpleWave automatically.
The time between a PurpleWave infection and its removal might only span minutes, but that's long enough for thieving and problems ranging from hijacked accounts to misappropriated cryptocurrency. Anyone in Windows should remember that spyware is an easily-available tool for those without moral inhibitions against using it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.