After steady research, it has been discovered that there are fake Telegram installers online with malicious intent. By distributing a malicious downloader alongside the actual Telegram for the desktop installer, the Purple Fox rootkit is widely spread.
Through joint efforts between Minerva Labs, a cybersecurity team, and MalwareHunterTeam, some shocking discoveries were made. In a report issued this week, they stated that Purple Fox was distributed under a disguised name. It is disguised using the file name, “Telegram Desktop.exe.”
Many users believed that they were installing the popular messaging software only to find their devices affected by the malware. The process of infection is difficult to detect which is an added disadvantage to the users.
The first discovery of Purple Fox was in 2018. The stealthy malware can be planted while evading detection. When it has successfully infected a device, it tends to be quite persistent and is therefore often beyond the reach of many security solutions.
It has spread through multiple means which makes it difficult to know the specific way it will infect a PC. Some of the ways it spreads include; exploitative kits, phishing emails, and other malicious links. In the recent past, however, the methods of distribution have expanded and extended their reach. The malware has now moved to take advantage of vulnerable internet-based systems and SMB services that are exposed. They also use fake installers as a means to gain access to devices.
In the case of the fake Telegram software installer, the malicious design was developed using a compiled script, AutoIt. Essentially, the fake installer drops two files i.e. an actual Telegram installer and a malicious downloader also known as, TextInputh.exe. The legitimate installer is never executed. It is the malicious program that runs the downloader.
When TextInputh.exe is executed, it separates into many small files. Minerva Labs conducted a thorough analysis through which they were able to report that this technique, enables threat actors to be anonymous and continue with their activities unnoticed. A majority of the files are not easily detected. In a series of actions, the files progressively infect the system. The Purple Fox rootkit forms the last stage of infection.
Essentially, the TextInputh.exe. creates a new folder. This folder then connects to a C2 server which acts as the malware’s command and control point. The two created files are downloaded. Then they will be executed which will lead to the unpacking of RAR archives which is a file that is used to load a malicious DLL.
The next step involves the creation of a registry key. This is what makes the persistence of the malware possible. Then five other files are dropped onto the system, specifically into the ProgramData folder. This folder is responsible for several tasks including shutting a wide spectrum of antivirus functions. This is done before Purple Fox is eventually executed.
There are two Windows variants of the Purple Fox malware i.e. 32-bit and 64-bit. Guardicore found out in March last year that there were some new worm capabilities integrated into the malware. This led to multiple servers with vulnerabilities being hijacked. These servers were used to host payloads of Purple Fox.
A new backdoor called FoxSocket had been discovered in October by Trend Micro. It is believed that the backdoor has been newly added to the existing abilities of the malware.
The Purple Fox malware is going to be on the radar of cyber security researchers for a while. It has a unique worm functionality and also contains a rootkit. It also uses stealth and has upgraded backdoors. This makes it worth observing and that is why many are keeping tabs on any developments.
The team also noted that the unique aspect of the attack was seen in the separation of every stage into a different file. The files are codependent meaning that all files need to be present for the malware to work. This is one of the main ways the attackers can go unnoticed and protect files from antivirus detection.