Fake Telegram Messenger App Hacking PCs with Purple Fox Malware
Reading Time: 2 minutes

According to Minerva Labs, a fake Telegram messenger app is hacking PCs with Purple Fox Malware. The trojanized Telegram installed is being distributed by bad actors via Purple Fox malware on compromised systems. 

Researcher Natalie Zargarov from Minerva Labs in a blog post said “This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by [antivirus] engines, with the final stage leading to Purple Fox rootkit infection.” 

About Purple Fox Malware

Purple Fox was first discovered in 2018, it features rootkit capabilities which makes it possible to plant it beyond the reach of security solutions and evade detection. Guardicore in a report in 2021 mentioned its worm-like propagation feature which makes the backdoor spread more rapidly. 

Later in Oct 2021, TrendMicro mentioned the discovery of a .NET implant dubbed FoxSocket deployed in conjunction with Purple Fox that takes advantage of WebSockets to contact its command-and-control (C2) servers, enabling it to make more secure means of establishing communications.

TrendMicro researchers said, “The rootkit capabilities of Purple Fox make it more capable of carrying out its objectives in a stealthy manner. They allow Purple Fox to persist on affected systems as well as deliver further payloads to affected systems.”

Again in December 2021, TrendMicro revealed how during the later stages of the Purple Fox infection chain, it targets SQL databases by inserting a malicious SQL common language runtime (CLR) module. This enables it to achieve a persistent and stealthier execution and ultimately abuses the SQL servers for illicit cryptocurrency mining.

According to the researchers at Minerva, the new attack chain commences with a Telegram installer file, an AutoIt script that drops a legitimate installer for the chat app. Additionally, it executes a malicious downloader called “TextInputh.exe,” to retrieve next-stage malware from the C2 server.

Once downloaded the files proceed to block processes associated with different antivirus engines. Later they proceed to the final stage that results in the download and execution of the Purple Fox rootkit from a now-shut down the remote server.

Zargarov said, “We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites. The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set.”

Related Articles:
Don’t Store your Password in Chrome As Hackers can target Remote Workers
Electromagnetic Emanations can help Detect Evasive Malware on IoT Devices
New Apache Log4j Update Patch Released for Newly Discovered Vulnerability