Telegram mail application Trojan installers are used to distribute Windows-based Purple Fox backdoor to compromised systems.
That’s according to a new study released by Minerva Labs, describing the attack as different from intruders that typically take advantage of legitimate software to remove malicious payloads.
“This threat actor was able to keep most parts of the attack under the radar by breaking the attack down into several small files, most of which had very low detection rates per [antivirus] engines, with the final step leading to infection of the Purple Fox rootkit “, researcher Natalie Zargarov noted.
First discovered in 2018, Purple Fox comes bundled with rootkit features that allow malware to be implanted beyond the reach of security solutions and evade detection. A March 2021 report from Guardicore detailed its worm-like propagation feature, allowing the backdoor to spread faster.
Then in October 2021, Trend Micro researchers discovered a .NET implant dubbed FoxSocket deployed in collaboration with Purple Fox that takes advantage of WebSockets contact its command and control (C2) servers for a more secure means of establishing communications.
“The capabilities of the Purple Fox rootkit make it more capable of accomplishing its goals in a more discreet manner,” the researchers noted. “They allow Purple Fox to persist on affected systems and deliver additional payloads to affected systems.”
Last but not least, in December 2021, Trend Micro also turn on the light on the further steps of the Purple Fox infection chain, which is to target SQL databases by inserting a malicious SQL common language runtime (CLR) to achieve persistent and more stealthy execution and ultimately abuse SQL servers for illicit cryptocurrency mining.
The new attack chain observed by Minerva begins with a Telegram installer file, an AutoIt script that removes a legitimate installer for the chat app and a malicious downloader called “TextInputh.exe”, the latter of which is run to recover the malware from the next step. the C2 server.
Subsequently, the downloaded files block the processes associated with the various antivirus engines, before moving on to the final step which results in the download and execution of the Purple Fox rootkit from a now closed remote server.
“We found a large number of malicious installers providing the same version of the Purple Fox rootkit using the same attack chain,” Zargarov said. “It appears that some were sent via email, while others, we assume, were downloaded from phishing websites. The beauty of this attack is that each step is separated into a different file which is useless without the full set of files. “