Posted on March 29, 2022 at 6:42 AM
The Purple Fox malware group has been discovered using an upgraded version of their malware inventory to a remote access Trojan known as FatalRAT. The threat group has also upgraded its evasion strategies to stay out of sight.
Trend Micro researchers reported that the Trojanized software is packaged as a legal application installer and deployed to attack users’ systems. According to the researchers, the installer has been seen in the wild, deceiving users and expanding its operational infrastructure.
The FatalRAT trojan has different features that are utilized by a threat actor remotely. However, the malware is used to carry out a series of tests before it is deployed to a system. Some of the tests performed by the malware include finding out the amount of storage space in the system, checking for the number of physical CPUs, and the presence of various virtual machine products.
The Trojan Performs Multiple Tasks
The Trend Micro researchers also discovered that the RAT performs various other functions. It is used to load and run the auxiliary modules after checking the specifications of the victim’s systems. The auxiliary modules are designed to provide further assistance for the hackers.
If the RAT identifies registry keys or if specified antivirus agents are operating, it may make changes.
Apart from having a rootkit module, Purple Fox also supports five different actions. These include intercepting file system cells to evade antivirus engines, copying files, and deleting them from the kernel.
The finding by trend Micro researchers is coming only days after the researchers at cybersecurity firm Avast alerted the public about a new malware campaign where the Purple Fox hacking module was utilized.
The Hackers Regularly Update Their Tools With New Software
According to the report, the malware was used as a distribution medium for another botnet called DirtyMoe.
However, the operators of the Purple Fox botnet are still active. The researchers noted that the actors are constantly updating their tools with new software. They are also making their malware variants more potent both in attack and in the evasion of security tools.
The threat actors have also put in a lot of effort to expand their signed toolkit arsenal to evade antivirus sing customized signed kernel drivers to target detection techniques.
“Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers,” according to Trend Micro researchers. The latest development is also coming after researchers from Minerva Labs revealed that some threat groups are using a similar method to utilizing fraudulent Telegram applications to distribute backdoor.
They have also used other disguised software installers, which include Google Chrome, WhatsApp, and Adobe Flash Player.
The Packages Are Used As First-Stage Loaders
The researchers at Trend Micro also noted that the packages are used as a first-stage loader. That target infection sequence leads to the deployment of the second-stage payload from the C2 server. This results in the execution of a binary that has similar features as the FatalRAT trojan.
The FatalRAT is a recently discovered C++-based implant designed for running commands and exfiltrating vital information to the remote server. The threat actors responsible for the malware are always updating the trojan with new features to make it more dangerous and potent on targets.
The FatalRAT trojan was discovered by AT&T Labs in its threat analysis system in August last year
The malware appeared to be distributed through Telegram channels and forums. They are hidden in download links as the threat actors try to deceive the targets using media or software articles.
The Trojan Can Be Altered Further By Threat Actors
Based on the analyzed samples of the malware, it is capable of carrying out several actions, including logging user keystrokes, obtaining system persistence, performing defense evasion techniques, collecting system information, and sending collected information to the command and control servers of the threat actor. The Trend Micro researchers also stated that the malware can still be altered by threat actors for a different hacking objective.
One of the reasons why the trojan has been deemed very dangerous is the speed at which it can be updated or altered to achieve a different attacking goal.
As a result, researchers have put out information about the malware and its modus operandi. This will enable individuals and organizations to understand how best to protect their systems against the menace of the new malware.