Purple Fox
Purple Fox is a Trojan downloader that includes rootkit properties for avoiding detection, among other defenses. It can deliver different threats to the computer, and, usually, will do so after the victim loads a corrupted site's Exploit Kit or EK. Users should maintain secure browser settings, let anti-malware solutions block or remove Purple Fox, and re-secure any potentially collected data, such as passwords.
Foxes Mining Open Source Code for Problem-Solving
Tens of thousands of victims might be enough for some criminals, but the operators of the Purple Fox Trojan downloader are continuing to add more to their tally. Updates to this rootkit-Trojan hybrid include shifts in how it protects itself, with an increased emphasis on suppressing any symptoms of infections to users and ducking analysis tools. The result of this updated set of features is a grab bag of different threats since Purple Fox can drop anything from a Bitcoin-mining Trojan to a banking one.
Older versions of Purple Fox use NSIS, like the XMRig-dropping Norman, for delivering its choice of other threats as a second-stage payload. Both old and new versions of Purple Fox also take advantage of rootkit features, which guarantee that the Trojan launches before the operating system starts. Purple Fox comes in both 32-bit and 64-bit versions, each for the appropriate environment.
Although this security is invasive and significant, malware experts are finding that newer versions of Purple Fox go several steps further. They abandon NSIS and use PowerShell instead, which opens up the possibility of Purple Fox's living off of injections in preexisting processes, instead of having visible files on the infected system. Its infection strategies (see below) also are more intricate and can compromise more system types. Last, it keeps the preexisting rootkit feature but uses public code for improving its defenses against threat analyzers.
Follow the Trail of Exploits Back to the Foxy Trojan
Current infection techniques for Purple Fox are, if not novel, at least, highly-involved. They use a multi-step process for compromising the system after the victim exposes it to a RIG Exploit Kit – an EK that's also a delivery tool for MedusaIRC, the ancestor of MedusaHTTP, and countless other Trojans. Through a coordinated dance of PowerShell scripts, privilege escalation exploits, IE vulnerabilities, and Windows VBScript vulnerabilities, the attack uses or forcibly takes admin privileges and deposits Purple Fox.
The use of rootkit commonalities like memory injection and other exploits keep users from identifying any files or Registry entries that Purple Fox might require. Even if the user identifies it, the Trojan downloads and auto-runs additional threats that provide further security issues and symptoms or the lack of them for surmounting. For-profit operations, such as generating cryptocurrency via mining, is a typical focus of for-hire Trojan downloaders like Purple Fox.
Purple Fox isn't without protections against the cyber-security community, either, and will hide some of its components – or attempt to do so. However, having anti-malware solutions remains the best chance of detecting and removing Purple Fox in time, before further attacks can launch.
Many of Purple Fox's software-abusing choices are as old as five years and are resolvable with nothing worse than installing an elderly security patch. Those who forget their updates will pay, one way or another, and predators like Purple Fox will guarantee it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.