AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CERT-UA alert: PurpleFox outbreak in Ukraine

Under attack: measures to combat PurpleFox's infiltration into Ukraine

The Ukrainian CERT-UA has detected a wide spread of PurpleFox malware, recommending updating systems and using antivirus to identify and remove the virus.

This pill is also available in Italian language

The Ukrainian computer emergency response team, CERT-UA, has raised an alert regarding a significant wave of PurpleFox malware infections, affecting over 2,000 computers across the country. While the specific impact of the outbreak has not yet been fully quantified, operational details to identify and neutralize this malicious software have been published. PurpleFox, also known as “DirtyMoe,” is a threat first detected in 2018, equipped with a rootkit module that allows it to hide and persist even after devices are rebooted.

The stealthy rise of PurpleFox

Retrieving the Indicators of Compromise (IoC) provided by Avast and TrendMicro, CERT-UA identified traces of the PurpleFox infection, followed under the identification code "UAC-0027". The malicious agent has the ability to self-propagate by exploiting known vulnerabilities and brute force on passwords. For risk mitigation, we recommend confining systems with outdated OS and software using VLANs or physical network segmentation, with entry/exit filters to prevent the spread of malware.

Find out and remove PurpleFox

To identify an ongoing infection, it is suggested to monitor network connections to high-number ports (over 10,000) and check for the presence of certain registry keys via regedit.exe. Further analysis includes checking the Event Viewer for specific events and the presence of uncommon directories in "Program Files". It is advisable to pay attention to the persistence of the execution of the malware, often hidden by a rootkit, by observing specific locations of services and files.

PurpleFox decontamination protocol

If the infection is confirmed, the Ukrainian security body suggests using Avast Free AV for a "SMART" analysis and removal of all modules. Alternatively, you can boot from LiveUSB or connect the infected drive to a non-compromised system to erase the "MsXXXXXXXXApp.dll" and ".sdb" modules. Next, you will need to remove the infected services from the registry. Before returning to normal operation, it is vital to ensure that no new infections occur by blocking, via the Windows firewall, incoming traffic from the ports commonly used by PurpleFox to propagate.

Follow us on Google News for more pills like this

02/01/2024 17:20

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity