New Windows Botnet Rapidly Expanding

Growing Botnet Exploits Weak Windows Passwords

Security researchers have identified a rapidly expanding botnet that specifically targets Windows-based systems. This growth is fueled by a novel infection method enabling the malware to propagate directly between computers.

Initial Infection Vectors

Originally observed in 2018, the Purple Fox malware initially spread through traditional methods like phishing emails and exploit kits. These techniques leverage existing security vulnerabilities to compromise machines.

New Attack Strategy: SMB Exploitation

However, recent investigations by Amit Serper and Ophir Harpaz at Guardicore reveal a significant shift in the malware’s tactics. It now actively seeks out internet-connected Windows computers protected by easily guessable passwords.

The malware attempts to gain access by targeting the Server Message Block (SMB) protocol – a crucial component facilitating communication between Windows devices, including printers and file servers.

Payload Delivery and Persistence

Upon successful access to a vulnerable system, the malware retrieves a malicious payload from a network comprising approximately 2,000 compromised and older Windows web servers.

This payload installs a rootkit, ensuring the malware remains persistently embedded within the compromised computer and becomes significantly more difficult to detect or remove.

Firewall Manipulation and Lateral Movement

Following infection, the malware proactively closes the firewall ports it initially utilized for access. This action likely aims to prevent reinfection or the hijacking of the compromised system by other malicious actors.

Subsequently, the malware generates a list of internet addresses and initiates a scan for additional vulnerable devices with weak passwords, thereby expanding its network of infected hosts.

The Risks of Botnets

Botnets are created when numerous compromised devices are incorporated into a network controlled by criminal entities.

• These networks are frequently employed to launch Distributed Denial-of-Service (DDoS) attacks, overwhelming organizations with traffic and disrupting their operations.
• Criminals can also utilize botnets to distribute malware and spam.
• Furthermore, they can deploy ransomware to encrypt files on infected computers.

Wormable Nature and Increased Threat

This particular botnet’s wormable characteristics pose a heightened risk due to its capacity for largely autonomous propagation.

Cost-Effectiveness of the New Technique

According to Serper, Guardicore’s VP of Security Research for North America, the wormable infection method is more economical to operate compared to the previous phishing and exploit kit approaches.

“The opportunistic nature of the attack, with its continuous scanning for vulnerable machines, allows attackers to essentially deploy it and leave it running,” he explained.

Exponential Growth in Infections

The effectiveness of this new strategy is evident in the dramatic increase in Purple Fox infections. Guardicore’s data indicates a 600% surge since May 2020.

The actual number of infections is likely considerably higher, exceeding 90,000 in the past year.

Mitigation and Future Concerns

Guardicore has released indicators of compromise (IOCs) to assist networks in identifying potential infections.

While the ultimate purpose of the botnet remains unknown, researchers caution that its expanding size represents a growing threat to organizations.

“We anticipate this activity is preparatory for a future operation,” Serper stated.