AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CERT-UA alert: PurpleFox outbreak in Ukraine

Under attack: measures to combat PurpleFox's infiltration into Ukraine

The Ukrainian CERT-UA has detected a wide spread of PurpleFox malware, recommending updating systems and using antivirus to identify and remove the virus.

This pill is also available in Italian language

The Ukrainian computer emergency response team, CERT-UA, has raised an alert regarding a significant wave of PurpleFox malware infections, affecting over 2,000 computers across the country. While the specific impact of the outbreak has not yet been fully quantified, operational details to identify and neutralize this malicious software have been published. PurpleFox, also known as “DirtyMoe,” is a threat first detected in 2018, equipped with a rootkit module that allows it to hide and persist even after devices are rebooted.

The stealthy rise of PurpleFox

Retrieving the Indicators of Compromise (IoC) provided by Avast and TrendMicro, CERT-UA identified traces of the PurpleFox infection, followed under the identification code "UAC-0027". The malicious agent has the ability to self-propagate by exploiting known vulnerabilities and brute force on passwords. For risk mitigation, we recommend confining systems with outdated OS and software using VLANs or physical network segmentation, with entry/exit filters to prevent the spread of malware.

Find out and remove PurpleFox

To identify an ongoing infection, it is suggested to monitor network connections to high-number ports (over 10,000) and check for the presence of certain registry keys via regedit.exe. Further analysis includes checking the Event Viewer for specific events and the presence of uncommon directories in "Program Files". It is advisable to pay attention to the persistence of the execution of the malware, often hidden by a rootkit, by observing specific locations of services and files.

PurpleFox decontamination protocol

If the infection is confirmed, the Ukrainian security body suggests using Avast Free AV for a "SMART" analysis and removal of all modules. Alternatively, you can boot from LiveUSB or connect the infected drive to a non-compromised system to erase the "MsXXXXXXXXApp.dll" and ".sdb" modules. Next, you will need to remove the infected services from the registry. Before returning to normal operation, it is vital to ensure that no new infections occur by blocking, via the Windows firewall, incoming traffic from the ports commonly used by PurpleFox to propagate.

Follow us on Threads for more pills like this

02/01/2024 17:20

Marco Verro

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report