Weak passwords used over the Windows Server Message Block (SMB) protocol are often part of attacks that result in the spread of Purple Fox malware, Specops researchers report.
Purple Fox, first detected in 2018, is a malware campaign that targets Windows machines. Until recently, its operators used phishing emails and various privilege escalation exploits to target Internet Explorer and Windows devices. However, in late 2020 and early 2021, a new infection vector began to infect Internet-facing Windows devices through SMB password brute force.
While Purple Fox's functionality didn't change post-exploitation, its distribution method caught the eye of Guardicore researchers. The team observing Purple Fox describes a "hodge-podge" of vulnerable and compromised machines hosting the initial payload, infected devices serving as nodes of worm campaigns, and server infrastructure believed to be related to other malware campaigns.
There are multiple ways Purple Fox can start spreading. In some attacks, the worm payload is executed after a target is compromised through an exposed service, such as an SMB; these services are targeted with weak passwords and hashes. In other attacks, the worm is sent through a phishing email that exploits a browser vulnerability.
Researchers with Specops created a global honeypot system to collect information on what these SMB attacks look like and the kind of passwords attackers are using. The team analyzed more than 250,000 attacks on the SMB protocol over a period of 30 days. In that time, "password" was seen used in attacks more than 640 times, they report.
"Password" was only the third most-common password used in these attacks. Most popular was "123," followed by "Aa123456." They also frequently tried "1qaz2wsx," "abc123," "password1," "welcome," "888888," and "112233."
Read the full list here.