AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

CERT-UA alert: PurpleFox outbreak in Ukraine

Under attack: measures to combat PurpleFox's infiltration into Ukraine

The Ukrainian CERT-UA has detected a wide spread of PurpleFox malware, recommending updating systems and using antivirus to identify and remove the virus.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

The Ukrainian computer emergency response team, CERT-UA, has raised an alert regarding a significant wave of PurpleFox malware infections, affecting over 2,000 computers across the country. While the specific impact of the outbreak has not yet been fully quantified, operational details to identify and neutralize this malicious software have been published. PurpleFox, also known as “DirtyMoe,” is a threat first detected in 2018, equipped with a rootkit module that allows it to hide and persist even after devices are rebooted.

The stealthy rise of PurpleFox

Retrieving the Indicators of Compromise (IoC) provided by Avast and TrendMicro, CERT-UA identified traces of the PurpleFox infection, followed under the identification code "UAC-0027". The malicious agent has the ability to self-propagate by exploiting known vulnerabilities and brute force on passwords. For risk mitigation, we recommend confining systems with outdated OS and software using VLANs or physical network segmentation, with entry/exit filters to prevent the spread of malware.

Find out and remove PurpleFox

To identify an ongoing infection, it is suggested to monitor network connections to high-number ports (over 10,000) and check for the presence of certain registry keys via regedit.exe. Further analysis includes checking the Event Viewer for specific events and the presence of uncommon directories in "Program Files". It is advisable to pay attention to the persistence of the execution of the malware, often hidden by a rootkit, by observing specific locations of services and files.

PurpleFox decontamination protocol

If the infection is confirmed, the Ukrainian security body suggests using Avast Free AV for a "SMART" analysis and removal of all modules. Alternatively, you can boot from LiveUSB or connect the infected drive to a non-compromised system to erase the "MsXXXXXXXXApp.dll" and ".sdb" modules. Next, you will need to remove the infected services from the registry. Before returning to normal operation, it is vital to ensure that no new infections occur by blocking, via the Windows firewall, incoming traffic from the ports commonly used by PurpleFox to propagate.

Follow us on Google News for more pills like this

02/01/2024 17:20

Editorial AI

Last pills

LockBit's response to FBI actionsLockBit's technological revenge: post-attack updates and awareness

LockBit's tenacious activity despite global investigationsChallenges and countermeasures in the war against the LockBit cyber criminal group

Avast fined for illegitimate sale of web dataFines and restrictions imposed on cybersecurity company for misuse of personal data

KeyTrap: DNSSEC flaw discovered by researchersThe vulnerability puts the stability of DNSSEC at risk