Perkiler Malware Description

Threat Overview

Perkiler is a sophisticated piece of malware that sports some rootkit-like features, as well. The parasite usually lands on Windows-based targets as part of the infamous Purple Fox exploit kit. On the other hand, Perkiler often stars in phishing campaigns, too. The malware has recently found yet another distribution outlet in the face of compromised ports within the SMB network protocol. The latter seems easily susceptible to brute-force attacks, which is why Perkiler is now fully capable of infecting a machine via port 445 and port 139.

The Server Message Block (SMB) network communication protocol allows computers to communicate within the network they are connected to. As a result, users can exchange files, share printers, and use any other portable hardware. Since the SMB protocol is an integral part of pretty much any corporate network out there, it is little wonder that cybercrooks have often taken advantage of its security flaws over the last few years. A few large-scale malware attacks, including the 2017 global WannaCry ransomware infection, all flourished thanks to SMB-related vulnerabilities.

As it is, Perkiler is the latest piece of malware to take a chance on SMB’s troubled defense mechanisms. To gain access to a targeted system, Perkiler unleashes an endless array of automated brute-force attacks that would not stop until they’ve guessed the login credentials required to access the 445 port. Since Perkiler has strong connections to the Purple Fox malware, we can make an educated guess that Perkiler’s executable may reside within the same compromised Microsoft IIS 7.5 servers that currently host Purple Fox's payloads.

Post-Infection Behavior

Launched after the first post-infection reboot, the rootkit embedded into the Perkiler malware serves to shield various registry keys and values related to the malware from any active antivirus or antimalware software. Initially, a security analyst developed the rootkit to perform various malware analysis tasks while keeping them away from the malware itself.

Parallel to the rootkit, the malware itself starts spreading across the network like a worm right after the first reboot. It generates IP ranges and scans them on port 445. When the computer responds to SMB tests on port 445, it tries to authenticate the SMB by using brute-forcing techniques to acquire the username and password or create a null session. If the brute-force attack meets success, Perkiler sets up a dedicated IPv6 interface to gain even more ground via unprotected subnets.

Remediation Options

If you want to reduce the risk of getting a Perkiler infection on your PC to a minimum, you can choose between two approaches or a combination thereof. First and foremost, make sure to set up strong passwords. A password with eight or more random letters, numbers, and one or more special characters thrown in for good measure should be sufficient to turn any potential brute-force attack into a dismal failure. Second, get rid of the SMB protocol if your machine isn’t part of any home or corporate network. Otherwise, set up a Virtual Private Network (VPN) with multi-factor authentication (MFA) for any SMB or RDP protocols.