Introduction

The Telegram messaging app Trojan installers are used to deploy the Windows-based Purple Fox backdoor to compromised techniques. That’s in keeping with new analysis printed by Minerva Labs, which describes the assault as totally different from intruders that sometimes exploit reputable software program to launch malicious payloads.

The installer compiled the AutoIt script that dropped two files: the actual Telegram installer and the malicious downloader. The legitimate installer added is not executed, so the only program that is launched is the malicious downloader. Once executed, it creates folders and connects to the C2 servers to download archived files.

The Purple Fox files also managed to block processes related to antivirus engines before getting detected. A large number of malicious installers deliver the rootkit versions using the same attack chain. Some of them might be delivered via email and phishing websites. The attack is a set of processes, and each file is useless without the entire set. Researchers say that it is the “beauty of this attack.”

 

How does the Purple Fox malware deployment take place?

It is a form of cyberattack that is disintegrated and executed by several files when they are together. Using this technique, the attacker or the bad actor behind the attack is evading such files from anti-virus software. When all the files required to execute the attack propagate to a single computer system, it is then that the Purple Fox rootkit infection begins. At the first stage of this attack, the code in the malicious file will create a new folder on the infected device called “TextInputh” at the location “C:\Users\Username\AppData\Local\Temp\” which contains two executable files.

This folder is used for the next stage of the attack by creating another folder with the name “164061849” at the location “C:\Users\Public\Videos\” and downloads other files required for the attack. After a couple of steps, the files that are created on a computer system block the initiation of 360 AV processes from the kernel space in the computer and allow the deployment of the Purple Fox Rootkit.

 

Purple Fox malware is coming out with new functionalities

The particular malware has been known since 2018, and each year this infection comes out with new attacks where the program is evolved with new functions. it came out with rootkit capabilities and managed to silently infect machines, evade detection by security tools. In 2021, reports indicated new worm-like features. The backdoor managed to spread more rapidly on the machines.

Later in 2021, Trend Micro researchers revealed the implant named FoxSocket deployed with Purple Fox that took advantage of WebSockets to contact c2 servers for more secure means of communications.

At the end of the year, later stages of the infection chain got analyzed. The malware targeted SQL databases by inserting a malicious SQL common language runtime module. This way, malware achieved persistence, and execution helped to abuse the SQL servers for cryptocurrency mining.

 

Yet another Telegram app abuse

Attackers soften abuse applications and especially tend to abuse apps that are for messaging and social media, or cryptocurrency. There are many details that can be stolen, personal information that once obtained by attackers can be either sold for huge amounts or used in later scams and campaigns. Telegram applications have been used in various campaigns.

Telegram handle Smokes Night was used to spread the malicious Echelon info stealer that focused on credentials for cryptocurrency wallet accounts. The sample was posted on the Telegram channel focused on cryptocurrency back in October 2021. The malware targeted file-sharing and messaging apps like Discord Edge, FileZilla, OpenVPN, Outlook, and Telegram itself.

 

How to Protect Yourself from a Purple Fox Attack

Observe the Indicators of Compromise (IoC)

Investing in data forensics and looking into the public indicators of compromise can be the first step in mitigating the Purple Fox attack.

Patch the Worm

Purple Fox has a unique attribute: it also attacks past vulnerabilities that were already patched up. Therefore, it is imperative to threat-hunt your environment to weed out prior infections.

Conduct a Security and IT Audit

Conducting security audits is an easy way to identify weaknesses and fix potential loopholes in security systems.

Employ Principle of Least Privilege (POLP)

To protect corporate networks, the principle of least privilege should be implemented by restricting permission controls. It is best practice to limit the usage of tools that should be reserved for IT and System Administrators.