CERT-UA alert: PurpleFox outbreak in Ukraine
Under attack: measures to combat PurpleFox's infiltration into Ukraine
The Ukrainian CERT-UA has detected a wide spread of PurpleFox malware, recommending updating systems and using antivirus to identify and remove the virus.
The Ukrainian computer emergency response team, CERT-UA, has raised an alert regarding a significant wave of PurpleFox malware infections, affecting over 2,000 computers across the country. While the specific impact of the outbreak has not yet been fully quantified, operational details to identify and neutralize this malicious software have been published. PurpleFox, also known as “DirtyMoe,” is a threat first detected in 2018, equipped with a rootkit module that allows it to hide and persist even after devices are rebooted.
The stealthy rise of PurpleFox
Retrieving the Indicators of Compromise (IoC) provided by Avast and TrendMicro, CERT-UA identified traces of the PurpleFox infection, followed under the identification code "UAC-0027". The malicious agent has the ability to self-propagate by exploiting known vulnerabilities and brute force on passwords. For risk mitigation, we recommend confining systems with outdated OS and software using VLANs or physical network segmentation, with entry/exit filters to prevent the spread of malware.
Find out and remove PurpleFox
To identify an ongoing infection, it is suggested to monitor network connections to high-number ports (over 10,000) and check for the presence of certain registry keys via regedit.exe. Further analysis includes checking the Event Viewer for specific events and the presence of uncommon directories in "Program Files". It is advisable to pay attention to the persistence of the execution of the malware, often hidden by a rootkit, by observing specific locations of services and files.
PurpleFox decontamination protocol
If the infection is confirmed, the Ukrainian security body suggests using Avast Free AV for a "SMART" analysis and removal of all modules. Alternatively, you can boot from LiveUSB or connect the infected drive to a non-compromised system to erase the "MsXXXXXXXXApp.dll" and ".sdb" modules. Next, you will need to remove the infected services from the registry. Before returning to normal operation, it is vital to ensure that no new infections occur by blocking, via the Windows firewall, incoming traffic from the ports commonly used by PurpleFox to propagate.
Follow us on Google News for more pills like this02/01/2024 17:20
Marco Verro