PurpleFox (also known as DirtyMoe, Perkiler, and NuggetPhantom) is a PowerShell-based botnet and exploit kit to install cryptocurrency miners that has been active since late 2017. It has had a slowly growing number of features from DDoS in 2018 to now including a worm module to spread via SMB. In 2021, the PurpleFox gang has installed miners on over 100,000 systems. This reporting comes from Avast, which may be an undercount.
Analyst Notes
In the past, the Binary Defense Security Operations Task Force has responded to PurpleFox and quickly identified it for further hunting. If PowerShell logging is enabled on a host, there are several ways to monitor for the actions PurpleFox will take. One of which is a high number of calls (6+) for the cmdlet Set-MpPreference to disable Windows Defender. Along that same vein, PurpleFox will make an increased number of calls (10+) to spawn cmd.exe child processes. The vast majority of the calls to cmd are to call reg.exe for continuous attempts to disable Windows Defender. Lastly, building detections to catch wmic attempts to scan for AntiVirus software being enabled is an evergreen detection that is effective when malware is looking to gain a foothold on a system. Pulling this information from centralized logging sources and continuous monitoring make these kinds of investigations and detections possible to get ahead of threats before they grow into a larger incident.
