Posted on January 5, 2022 at 7:49 AM
Security researchers at Minerva Labs have revealed that threat actors are using the weaponized Telegram Messenger App to plant the Purple Fox backdoor on Windows systems.
According to the researchers, the campaign has a very low detection rate, unlike similar ones that leverage legitimate software to deliver malware.
“We have often observed threat actors using legitimate software for dropping malicious files,” according to the analysis published by Minerva Labs.
The hackers were able to circumvent any security check and stay under the radar by breaking down the attack into different segments. These small files have very low detection rates by AV engines. However, the last phase of the attack leads to the infection of the Purple Fox rootkit.
The Purple Fox malware is delivered in the form of malicious “.msi” packages and was first discovered in 2018 on nearly 2,000 infected Windows servers.
Users’ Personal Data Are At Risk
The installer extracts and decrypts the payload from the MSI package. However, in March last year, researchers at Guardicore discovered a new variant of the malware. According to the researchers, the new variant delivers worm-like propagation capabilities.
But the installer the Minerva Labs researchers analyzed is a compiled AutoIt script called “Telegram Desktop.exe.” The infected Telegram Messenger apps are currency hacking devices that can put users’ details at risk.
Researcher Natalie Zargorav says the research team discovered a lot of malicious installers that deliver the same “Purple Fox” rootkit version using the same attack chain. The malware was downloaded from phishing websites, while others were delivered by a chain, Zargorav reiterated.
Each of the separated files cannot stand along and is used to launch an attack. But the threat actors chose to split them to avoid risking detection by security software. Once the files have crossed the security checks from antivirus software, they are quickly assembled to represent a formidable attack force.
Researchers Have Discovered Other Variants Of The Malware
Other variants of the malware have been discovered in the past. In October last year, a .NET implant called FoxSocket was discovered by Trend Micro researchers. The implant was delivered alongside Purple Fox by the threat actor.
“The rootkit capabilities of Purple Fox make it more capable of carrying out its objectives in a stealthier manner,” the researchers stated. The capabilities enable Purple Fox to stay properly hidden in compromised systems while delivering more payloads to the system.
And last month, Trend Micro explained the later stages of the Purple Fox infection chain. According to the researchers, the malware targets the SQL database by planting a malicious SQL common language routine (CLR) module. This activates a stealthier and persistent execution, subsequently abusing the SQL servers for fraudulent crypto mining.
The attack chain starts with a Telegram installer before executing to retrieve next-stage malware from the C2 server.
After planting the initial payload, the downloaded files are deployed to prevent processes linked with different antivirus engines before they proceed to the last stage of the infection.
Zargarov noted that the research team discovered a large number of malicious installers that deliver the same Purple Fox rootkit version.
The Malware Infects Both 62 And 32-Bit Operating Systems
The malware is used to collect basic system information and looks for any security tool that runs on the compromised system before sending them to the hardcoded C2.
In the last stage of the attack, Purple Fox is downloaded from the C2 as an .msi file containing encrypted shellcode for both 62 and 32-bit operating systems.
Purple Fox also disables UAC to carry out a wide range of malicious attacks, including downloading files, killing processes, and executing more payloads.
Upon execution of the malware, the compromised system is restarted so that the new registry settings will take effect, especially the disabled User Account Control (UAC).
The Purple Fox malware easily gains access to the system when the UAC is disabled, allowing the malware to have administrative privileges.
Generally, the work of the UAC is to prevent the unauthorized installation of apps on the system. It also prevents any program from changing the system settings, which means it needs to stay active on Windows always.
Also, when the UAC is disabled, it enables Purple Fox to carry out some malicious activities such as running code, deleting data, exfiltration, as well as file search.
It’s not yet known how Purple Fox is distributed, although similar malware campaigns discovered last year were distributed using fake software sites, YouTube videos, and forum spam.
To stay on the safe side, users have been advised to download Telegram only from the messenger’s official website and not to install it from third-party sites.