"Attackers Used Malicious Telegram Installer to Distribute Purple Fox Rootkit"
In collaboration with MalwareHunterTeam, Minerva Labs analyzed a malicious Telegram installer that threat actors are using to infect victims with the Purple Fox rootkit. The researchers found that the malicious Telegram installer is a compiled AutoIt script called Telegram Desktop.exe, which creates a new folder and drops both a legitimate Telegram installer and a malicious downloader into it. When executed, the malicious downloader contacts a command-and-control (C2) server and downloads two files into a new folder. One of those resources contains another file that reflectively loads a Dynamic Link Library (DLL) file, leading the attack flow to use more files to shut down antivirus processes. From there, the campaign uses its C2 server to gather information such as the hostname, CPU, and more, from the victim. The attack concludes by downloading and running the Purple Fox rootkit. Further analysis showed that the malicious installers were delivering the same rootkit via email, likely from phishing websites. The Purple Fox rootkit also made headlines in September 2019 when researchers discovered the RIG exploit kit spreading a Purple Fox variant by redirecting visitors to a malicious PowerShell command that installs the rootkit. In 2021, researchers at Guardicore Labs found an active malware campaign targeting Windows machines, which differed from previous attack operations involving Purple Fox because it did not use phishing emails or exploit kits. Instead, this operation used an SMS password brute-force attack that allowed the rootkit to propagate as a worm across web-facing Windows machines. This article continues to discuss the use of a malicious Telegram installer to distribute the Purple Fox rootkit, other recent attacks involving Purple Fox, and how organizations can defend against Purple Fox attack attempts.