February 1, 2024 at 02:11PM
CERT-UA warns about the PurpleFox malware infecting over 2,000 computers in Ukraine. The malware, first seen in 2018, has evolved to switch to using WebSocket for stealthy command and control communications. CERT-UA provides detailed information on how to locate and remove the malware and recommends measures to prevent further spreading.
Based on the meeting notes, we have learned that a PurpleFox malware campaign has infected over 2,000 computers in Ukraine. The malware is a modular Windows botnet that can introduce more potent second-stage payloads, offer backdoor capabilities, and act as a DDoS bot. The malware has been observed using WebSocket for command and control (C2) communications for stealth and has spread under the guise of a Telegram desktop app. It is typically spread through laced MSI installers and possesses self-propagation capabilities using known exploits and password brute-forcing.
In terms of identification and removal, the agency recommends methods such as examining network connections to high ports, checking specific registry values, analyzing the application log for specific event IDs, and verifying the persistent execution of the malware. Additionally, it suggests either using Avast Free AV to run a “SMART” scan and remove all modules or performing manual deletion of specific modules and services.
Finally, to prevent re-infection from PurpleFox, it is recommended to enable the firewall on Windows and create a rule to block incoming traffic from certain ports.
If you need additional information or a more detailed summary of specific sections, please don’t hesitate to ask.