{
	"id": "5bdae985-4cd0-48f8-b3bf-dadfab28f1c3",
	"created_at": "2026-04-06T00:22:32.321175Z",
	"updated_at": "2026-04-10T03:21:09.08123Z",
	"deleted_at": null,
	"sha1_hash": "a5aff975b52b406ce3a0dda1d2da3c285e8d6238",
	"title": "Perkiler malware turns to SMB brute force to spread",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43160,
	"plain_text": "Perkiler malware turns to SMB brute force to spread\r\nBy Malwarebytes Labs\r\nPublished: 2021-03-24 · Archived: 2026-04-05 22:22:50 UTC\r\nResearchers at Guardicore have identified a new infection vector being used by the Perkiler malware where\r\ninternet-facing Windows machines are breached through SMB password brute force.\r\nPerkiler is a complex Windows malware with rootkit components that is dropped by the Purple Fox exploit kit\r\n(EK) and was spread by phishing campaigns.\r\nWhat is SMB?\r\nServer Message Block (SMB), aka Common Internet File System (CIFS), is the network-protocol that enables file\r\nexchanges between Microsoft Windows computers. You will find it wherever Windows computers are sharing\r\nprinters, files, and sometimes remote control. By default, SMB is configured to use the ports 139 and 445.\r\nSMB vulnerability history\r\nSMB has a history of being used by malware (coupled with a history of being enabled by mistake and exposed to\r\nthe Internet by accident). The most famous example of SMB-exploiting malware is WannaCry. This worm-like\r\noutbreak spread via an operation that hunted down vulnerable public facing SMB ports and then used the\r\nEternalBlue exploit to get on the network, chained with the DoublePulsar exploit to establish persistence, and\r\nallow for the installation of the WannaCry ransomware.\r\nWhat are brute force attacks?\r\nA brute-force password attack is a relentless attempt to guess the username and password of one or more systems.\r\nAs it sounds, a brute-force attack relies on force rather than cunning or skill: It is the digital equivalent of\r\nthrowing everything and the kitchen sink at something. Some attacks will try endless combinations of usernames\r\nand passwords until finding a combination that works, others will try a small number of usernames and passwords\r\non as many systems as possible.\r\nBrute force attacks are usually automated, so they don’t cost the attacker a lot of time or energy. Certainly not as\r\nmuch as individually trying to figure out how to access a remote system. Based on a port number or another\r\nsystem-specific property, an attacker picks the target and the method and then sets his brute force application in\r\nmotion. He can then move on to the next target and wait to get notified when one of the systems has swallowed\r\nthe hook.\r\nNot a new infection method\r\nThe fact that the researchers found the Perkiler malware attacking Windows machines through SMB password\r\nbrute force came as something of a surprise. Not because of the SMB brute force per se. SMB has always been\r\nhttps://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/\r\nPage 1 of 3\n\nbrute forced, but why would you bother when you have:\r\nEternalBlue that allows you to own every single unpatched SMB server without going through the brute\r\nforce routine.\r\nA few million RDP ports you can brute force with a potentially bigger gain. Remote desktop is exactly\r\nwhat the name implies, an option to remotely control a computer system. Which is much more interesting\r\nto an attacker than just being able to drop a file on an SMB server.\r\nThe answer to this question remains a mystery for now. Maybe they are planning ahead for when the number of\r\nvulnerable RDP servers dries up.\r\nUsing compromised machines\r\nPerkiler uses a large network of compromised servers to host its dropper and the payloads. These servers appear to\r\nbe compromised Microsoft IIS 7.5 servers. Most of these Windows Servers are running IIS version 7.5 and\r\nMicrosoft FTP, which are known to have multiple vulnerabilities with varying severity levels.\r\nThe rootkit\r\nOnce a machine is infected with the new variant of Perkiler, it reboots to load the rootkit that’s hidden inside the\r\nencrypted payload. The purpose of this rootkit is to hide various registry keys and values, files, etc. Ironically\r\nenough, the hidden rootkit was developed by a security researcher to conduct various malware analysis tasks and\r\nto keep the research tasks hidden from the malware.\r\nInfected machines\r\nOnce the machine is restarted, the malware will be executed as well. After its execution, the malware will start its\r\npropagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine\r\nresponds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and\r\npasswords, or by trying to establish a null session.\r\nOne interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the\r\nmalware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually\r\nunmonitored) IPv6 subnets.\r\nMitigation\r\nIn theory, brute force password attacks conducted over the Internet can be defeated by even moderately strong\r\npasswords (six characters should be enough). However, even the threat of big-game ransomware using RDP brute\r\nforce attacks hasn’t been enough to get people using stronger passwords. And if the prospect of facing a $50\r\nmillion ransom isn’t enough motivation, it’s hard to see anything else working.\r\nLuckily there are other, easier ways to blunt brute force attacks. The best defence of all is to remove the SMB (or\r\nRDP, or anything else) service from the Internet entirely, if possible, or to put it behind a VPN protected by two-factor authentication if it isn’t possible.\r\nhttps://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/\r\nPage 2 of 3\n\nSource: https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/\r\nhttps://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/"
	],
	"report_names": [
		"perkiler-malware-turns-to-smb-brute-force-to-spread"
	],
	"threat_actors": [],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5aff975b52b406ce3a0dda1d2da3c285e8d6238.pdf",
		"text": "https://archive.orkl.eu/a5aff975b52b406ce3a0dda1d2da3c285e8d6238.txt",
		"img": "https://archive.orkl.eu/a5aff975b52b406ce3a0dda1d2da3c285e8d6238.jpg"
	}
}