February 1, 2024 at 12:15PM
CERT-UA warns of the PurpleFox malware infecting over 2,000 Ukrainian computers with potential backdoor, DDoS, and downloader capabilities. It utilizes a rootkit to persist and conceal its presence. CERT-UA provides methods to detect and remove the malware, including checking network connections, registry values, event logs, and specific file locations, and recommends employing firewall measures to prevent re-infection.
Based on the meeting notes, here are the key takeaways:
– The Computer Emergency Response Team in Ukraine (CERT-UA) has issued a warning about a PurpleFox malware campaign that has infected over 2,000 computers in the country.
– The malware, also known as ‘DirtyMoe’, is a modular Windows botnet malware that was first identified in 2018 and comes with a rootkit module allowing it to hide and persist between device reboots. It can be used for various malicious activities, including introducing second-stage payloads, backdoor capabilities, and acting as a DDoS bot.
– New versions of PurpleFox have been observed using WebSocket for command and control communications and have been spread under the guise of a Telegram desktop app.
– CERT-UA used IoCs from Avast and TrendMicro to identify PurpleFox malware infections on Ukrainian computers, tracking the activity under the identifier ‘UAC-0027.’
– The agency has shared detailed information on how to locate and remove the malware, as well as recommendations for preventing its spread, such as isolating systems with outdated OS versions and software using VLAN or physical network segmentation with incoming/outgoing filtering.
– CERT-UA has identified over 486 intermediate control server IP addresses, most of which are located in China, and noted that removal of the malware is challenging due to its use of a rootkit but provided effective methods to detect and remove the malware.
These takeaways summarize the critical information from the meeting notes regarding the PurpleFox malware campaign and CERT-UA’s response to it.