Installers for the Telegram chat software have been compromised in order to spread the Windows-based Purple Fox backdoor.
Research published by Minerva Labs reveals that the success of the attack stems from the fact that the attacker was dividing it into multiple little files, most of which had low detection rates by antivirus engines, which helped keep the attack undetected. The ultimate goal was to deploy the Purple Fox rootkit infection in the compromised systems.
Originally found in 2018, Purple Fox has rootkit characteristics that allow it to avoid detection and remain under the radar of most anti-virus software. Its worm-like propagation capability enables the backdoor to spread more quickly.
Another malicious feature that adds to the capabilities of the infection is the FoxSocket.NET implant, which exploits WebSockets to safely communicate with its command and control (C2) servers.
According to the experts, Purple Fox’s rootkit capabilities allow it to operate more covertly and accomplish its goals more quickly. In addition, they enable Purple Fox’s persistence on vulnerable systems and the delivery of additional payloads to them.
A report by Trend Micro published in December 2021, reveals how the Purple Fox infection chain exploits SQL databases with the help of a malicious SQL common language runtime (CLR) module, which allows the infection chain to remain undetected for longer and ultimately abuse SQL servers for illicit cryptocurrency mining.
The new report by Minerva describes an attack chain that begins with a Telegram installer file and ends with a malicious downloader dubbed “TextInputh.exe”, which downloads additional malware from the C2 server using an AutoIt script.
The downloaded files then start obstructing processes connected with various antivirus engines and then download and execute the Purple Fox rootkit from a remote server that is no longer operational.
The researchers inform that they have detected many malware installers that used the same attack chain to deploy the same Purple Fox rootkit version, some of which were sent by email, while others were downloaded from phishing websites. The noteworthy fact about this particular attack is that each stage is contained within a different file, that is practically useless and undetectable without the entire file set, which is precisely what makes the attack so effective.