Purple Fox backdoor spreads through fake Telegram App installer

Threat actors are spreading the Purple Fox backdoor using tainted installers of the Telegram messaging application.

Threat actors are using weaponized installers of the Telegram messaging application to deliver the Purple Fox backdoor on Windows systems.

Researchers from Minerva Labs pointed out that this campaign, unlike similar ones leveraging legitimate software to deliver malware, has a very low detection rate. The investigation into the campaign started with the discovery of a weaponized installer made by MalwareHunterTeam:

“We have often observed threat actors using legitimate software for dropping malicious files. This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.” reads the analysis published by Minerva Labs.

The Purple Fox malware was first discovered in March 2018, it is distributed in the form of malicious “.msi” packages that were found by the experts on nearly 2,000 compromised Windows servers. The installer will extract the payloads and decrypt them from within the MSI package. In March 2021, researchers from Guardicore have spotted a new variant of the Purple Fox Windows malware that implements worm-like propagation capabilities.

The installer analyzed by Minerva Labs researchers is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows GUI and general scripting) script named “Telegram Desktop.exe.” 

Upon executing the script, it creates a new folder named “TextInputh” under C:\Users\Username\AppData\Local\Temp\ and drops a legitimate Telegram installer and a malicious downloader (TextInputh.exe). 

When executed, TextInputh.exe creates a folder named “1640618495” under the C:\Users\Public\Videos\ directory, then downloads the following files from the C2 to the newly created folder:  

1. 1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver.
2. The 7zz.exe is used to unarchive 1.rar, which contains the following files:

Then the TextInputh.exe performs the following actions:

• Copies 360.tct with “360.dll” name, rundll3222.exe, and svchost.txt to the ProgramData folder
• Executes ojbk.exe with the “ojbk.exe -a” command line
• Deletes 1.rar and 7zz.exe and exits the ojbk.exe process

“When executed with the “-a” argument, this file is only used to reflectively load the malicious 360.dll file” continues the analysis.

The attack chain continues by dropping five more files into the ProgramData folder: 

• Calldriver.exe – this file is used to shut down and block initiation of 360 AV
• Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder

• dll.dll – executed after UAC bypass. T
• kill.bat – a batch script which is executed after the file drop ends.
• speedmem2.hg – SQLite file

The above files are used block the initiation of 360 AV processes and prevent the detection of final payloads, the Purple Fox backdoor.

Then the malware gathers basic system information, checks for any security tools running on the compromises system, and sends them to a hardcoded C2.

In the final phase, Purple Fox is downloaded from the C2 as an .msi file that contains encrypted shellcode for both 32 and 64-bit systems.

Purple Fox disable UAC to perform a broad range of malicious activities such as killing processes, and downloading and executing additional payloads.

“We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites. The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set. This helps the attacker protect his files from AV detection.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Purple Fox backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]