A novel technique to target computer systems has been discovered. According to a report published by joint efforts between Minerva Labs cybersecurity team, and a MalwareHunterTeam, trojanized installers of the Telegram messaging application are being circulated online to distribute the Purple Fox malware, a Windows-based rootkit that is used to install further malicious payloads on compromised devices.
The installer for the malicious Telegram application is a compiled AutoIt script called "Telegram Desktop.exe" that drops two files, the legitimate Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't implemented, the AutoIT program does run the downloader TextInputh.exe.
When executed, TextInputh.exe designs a folder named ("1640618495") under the C:\Users\Public\Videos\ directory, and then establishes a connection to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpack .RAR archives and a file used to load a malicious reflectively.DLL.
The next step includes the creation of a registry key to enable persistence on a compromised device, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide spectrum of antivirus processes before Purple Fox is eventually executed.
The Purple Fox Trojan comes in two Windows variants i.e. 32-bit and 64-bit. In March last year, Guardicore Labs uncovered novel worm capabilities integrated into the malware, and thousands of susceptible servers were hijacked to host payloads of Purple Fox.
Last year in October, a new backdoor named FoxSocket was discovered by Trend Micro researchers, which is believed to be a new inclusion to the existing abilities of the malware.
The Purple Fox malware is going to be on the radar of security researchers for a while. It has a unique worm functionality and also contains a rootkit. It also employs stealth and has upgraded backdoors. This makes it worth observing and that is why many are keeping tabs on any developments.
"The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set," the researchers explained. "This helps the attacker protect his files from AV detection."
