The rogue Telegram Installer was found to drop Purple Fox malware, which runs in multiple stages and is therefore very difficult to detect.
According to the Minerva Laboratories Research team distinguishes the trojanized Telegram installer from the usual cyber threats mainly by its ability to split its payload into several parts in order to evade antivirus scanners. It also spreads to further propagate malicious payloads on infected devices – and once again remains under the radar.
The current attack chain
The latest chain of attacks starts with a script file called AutoIt (a freeware scripting language used to automate the Windows GUI and general scripting). Telegram Desktop.exe, in most cases by email or from Angel websites. The AutoIt script then creates a new folder named text input under C:UsersusernameAppDataLocalTemp and downloads real Telegram installer (not running) and malicious downloader – TextInput.exe.
TextInput.exe then runs and pulls the next-stage malware from a command and control (C2) server. From there, the attack flow continues as the files create blockers for various antivirus engines before reaching the final stage which leads to the download and execution of the Purple Fox rootkit. In the meantime, the remote server responsible for running Purple Fox is shutting down.
Once Purple Fox is running, the infected device reboots and accepts the newly installed settings, disables User Account Control (UAC) and grants administrative rights to the malware. After that, Purple Fox can perform malicious operations like file search and exfiltration, data deletion, code download and execution, process termination and similar ones.
The beauty of this attack is that each phase is broken down into a different file, which is useless without the entire set of files.
According to Minerva Labs researcher Zargarov, a large number of malicious installers are seen deploying the identical Purple Fox rootkit with the same infection flow. What makes this rootkit even more difficult to detect is that each stage is divided into different files, all of which are completely useless individually without the entire set of files.
More about purple fox
Purple fox was first spotted and described in 2018 as an active Trojan malware campaign targeting Windows devices. This year, the malware infected over 30,000 Windows machines and was unattainable for modern detection mechanisms and security solutions. Initially, Purple Fox’s operations spread via exploit kits and phishing emails, but they soon evolved into brute-force insecurity breaches SMB Passwords.
In March 2021, Purple Fox was already showing advanced worm-like propagation properties that allowed the malware to evolve much faster. In October of the same year, Trend Micro discovered new suspicious activity related to Purple Fox – a new backdoor written and used as a .NET implant WebSockets to establish more secure means of communication. Purple Fox’s new rootkit capabilities made it possible “to persist on affected systems and deliver additional payloads to affected systems.” as reported by researchers at Trend Micro.
The last upgrade was in December 2021 when Purple Fox started attacking SQL databases by injecting a malicious program SQL Common Language Runtime (CLR) module to execute even more sneaky and relentless attacks and ultimately illegal cryptocurrency mining by abusing SQL servers.
reminder to our readers
Purple Fox Rootkit is an intrusive piece of malware that is exceptionally difficult to detect, making it a hot topic in the cybersecurity world. Unfortunately, its full extent remains to be seen. However, one thing is certain; It is an extremely dangerous malware with carefully designed mechanisms to cause major damage to your privacy.
Therefore, we would like to remind our readers not to open suspicious emails or files and especially not to download any software from unknown sources. Always keep your security protection active, and if your antivirus program suggests something like “detect Trojan risk”, clean your PC immediately.