AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CERT-UA alert: PurpleFox outbreak in Ukraine

Under attack: measures to combat PurpleFox's infiltration into Ukraine

The Ukrainian CERT-UA has detected a wide spread of PurpleFox malware, recommending updating systems and using antivirus to identify and remove the virus.

This pill is also available in Italian language

The Ukrainian computer emergency response team, CERT-UA, has raised an alert regarding a significant wave of PurpleFox malware infections, affecting over 2,000 computers across the country. While the specific impact of the outbreak has not yet been fully quantified, operational details to identify and neutralize this malicious software have been published. PurpleFox, also known as “DirtyMoe,” is a threat first detected in 2018, equipped with a rootkit module that allows it to hide and persist even after devices are rebooted.

The stealthy rise of PurpleFox

Retrieving the Indicators of Compromise (IoC) provided by Avast and TrendMicro, CERT-UA identified traces of the PurpleFox infection, followed under the identification code "UAC-0027". The malicious agent has the ability to self-propagate by exploiting known vulnerabilities and brute force on passwords. For risk mitigation, we recommend confining systems with outdated OS and software using VLANs or physical network segmentation, with entry/exit filters to prevent the spread of malware.

Find out and remove PurpleFox

To identify an ongoing infection, it is suggested to monitor network connections to high-number ports (over 10,000) and check for the presence of certain registry keys via regedit.exe. Further analysis includes checking the Event Viewer for specific events and the presence of uncommon directories in "Program Files". It is advisable to pay attention to the persistence of the execution of the malware, often hidden by a rootkit, by observing specific locations of services and files.

PurpleFox decontamination protocol

If the infection is confirmed, the Ukrainian security body suggests using Avast Free AV for a "SMART" analysis and removal of all modules. Alternatively, you can boot from LiveUSB or connect the infected drive to a non-compromised system to erase the "MsXXXXXXXXApp.dll" and ".sdb" modules. Next, you will need to remove the infected services from the registry. Before returning to normal operation, it is vital to ensure that no new infections occur by blocking, via the Windows firewall, incoming traffic from the ports commonly used by PurpleFox to propagate.

Follow us on Facebook for more pills like this

02/01/2024 17:20

Editorial AI

Last pills

Serious vulnerability discovered in Rabbit R1: all user data at riskVulnerability in Rabbit R1 exposes sensitive API keys. What are the privacy risks?

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat