PurpleWave
There are many different malware variants out there, but infostealers are among the most profitable ones for cybercriminals. The information stolen by these viruses can be sold on the black market or used for other crimes, including identity theft and fraud. Zscaler ThreatLabZ discovered the PurpleWave infostealer. The virus is written in the C++ language and installs itself quietly on a system before getting to work. The virus connects to an external command and control the C2 server and sends information about the system and user to the server. It can also download additional malware from the server for more advanced attacks.
Table of Contents
What is PurpleWave?
The PurpleWave virus is an information-stealing malware that collects all kinds of personal information from a computer, including usernames and passwords. The virus can also download additional threats and can be programmed to respond according to specific scenarios. Users should be careful when browsing the internet to reduce their risk of coming across PurpleWave.
PurpleWave can be found for sale on the deep web on Russian domains. The attackers behind the virus offer it for rental and for hacking attacks. PurpleWave has all the same features as any piece of fundamental spyware and is compatible with most versions of Windows. The malware offers attackers plenty of functionality for finding and stealing data from a target system. Given that the virus is sold on the deep web and appears to be sold with support from the developers, there is no telling how many infections or infection vectors PurpleWave could have.
One thing that stands out about PurpleWave is the developer seems to prefer quantity over quality when it comes to potential clients. The spyware is available on the dark web for under $70. Those who take the developer up on their bargain can configure the spyware for different attacks, including module-based attacks. Most of these attacks involve the exfiltration of information from target computers, including cookies, passwords, auto-fill data, browser history, and other information from Chromium browsers, Firefox, Telegram, and Steam.
PurpleWave is sold with some specialized optional features depending on what the attacker needs it for. One such feature is the optional .NET Framework module. This module steals cryptocurrency wallet data from target computers so attackers can steal crypto coins. The spyware also has a screenshot module that takes pictures of the computer screen as a PNG file, along with the ability to search for specific file types and in particular locations. The spyware also works like a trojan virus by downloading and installing other threats, on top of the other modules that improve PurpleWave’s own functionality.
What Does PurpleWave Do?
PurpleWave is relatively simple compared to similar threats. The spyware transfers data with a conventional HTTP POST request that has to be connected to a C2 server to exfiltrate data and uses a standard Registry Mutex to guarantee only one instance of the malware runs at a time. However, much like other spyware, there are almost no symptoms of a PurpleWave infection. The only sign that your computer is infected is a pop-up that the attacker can choose to trigger or not. Even if they do activate the pop-up, it’s likely going to be long after they have stolen your data, and you can’t do anything about it.
Like most of the other features of this spyware, the pop-up can be configured by the threat actor. The default version of the windows shows a Windows error in Russian about potentially damaged hardware. Threat actors can change the text on the window to support their disguise method by changing it to an error about documents or software failing to install.
How to Prevent the PurpleWave Infection
One of the most important things you can do to protect against malicious programs is not to download and install software through unofficial websites and installers, third-party downloaders, and peer-to-peer networks such as torrent sites. You should always use official channels to get your software and avoid using pirated software. Illegal software is packed with “cracks” that activate the software. More often than not, these tools install malware instead of, or along with, activating the software. Programs and operating systems should be updated whenever possible, but make sure these updates come from official channels.
You should avoid interacting with website links and attachments in emails sent from suspicious and unknown addresses. There is the chance that these emails have been sent by cybercriminals to spread their malicious programs and catch you in a trap.
Last but not least, you should keep an antivirus program on your computer. Make sure this program is updated regularly with all the latest virus databases, detection, and removal methods. Be sure to run a virus scan regularly to detect infections like ViluciWare to keep your computer safe.
It could be only a few minutes between a PurpleWave infection and removal, but this is more than enough time for spyware to hijack accounts on behalf of attackers. Be proactive in your approach to preventing spyware infections.
