Several malicious Telegram installers were observed dropping the same Purple Fox rootkit version using the same attack methods, including email distribution and phishing websites.
Antivirus Engines Fooled By The Purple Fox Rootkit
Most antivirus solutions can’t detect this malicious Telegram instant-messaging app installer that carries the Purple Fox malware. This works by separating the attack into tiny bits that go undetected.
In a Monday post, Minerva Labs wrote that the attack circumvents controls of powerful AV products, such as Avira, ESET, Kaspersky, McAfee, Panda, Trend Micro, and many others.
“We have often observed threat actors using legitimate software for dropping malicious files,” analysts wrote. “This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.”
The poisoned installer masquerades as a harmless Telegram installer, bearing its familiar icon. The installer creates a new folder named “TextInputh” under C:\Users\Username\AppData\Local\Temp\. It drops two files into the folder: an actual Telegram installer (that never gets executed), and a malicious downloader, TextInputh.exe.
TextInputh.exe then creates a new folder named “1640618495” under the C:\Users\Public\Videos\ directory. Next, the executable contacts a command-and-control (C2) server – a C2 that was already down at the time of investigation – and downloads a legitimate 7z archiver and a RAR archive (1.rar) to a new folder.
The 1.rar archive contains the payload and the configuration files, as shown in the image below. The 7z program unpacks everything onto the ProgramData folder.
TextInputh.exe then performs the following actions on compromised devices:
- Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder
- Executes ojbk.exe with the “ojbk.exe -a” command line
- Deletes 1.rar and 7zz.exe and exits the process
In the next stage, a registry key is created for persistence, a DLL (rundll3222.dll) disables Microsoft’s User Account Control (UAC) malware-inhibiting functions, the payload (svchost.txt) is executed, and the following five additional files are dropped onto the affected machine:
Small Files Cluster-Block 360 AV
The five undetectable files “work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox rootkit, in our case) to run without being detected,” the report said.
“The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set,” according to the post. “This helps the attacker protect his files from AV detection.”
After blocking 360 AV, the malware then collects a significant amount of system information, checks to see if a long list of security controls are running, and, lastly, sends all the data to a hardcoded C2 address.
Here’s the information that Purple Fox is going for:
- CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
- Memory status
- Drive Type
- Processor Type – by calling GetNativeSystemInfo and checking the value of wProcessorArchitecture.
The Purple Fox Rootkit
The malware was first spotted in 2018, and, up until March 2021, it required user interaction or a third-party tool to compromise Windows devices. However, since last spring, its operators improved the malware with the ability to infect victims’ machines on its own. Simultaneously, Purple Fox was outfitted with a rootkit that enabled it to avoid detection and establish persistence.
“We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites,” Minerva Labs’ report said.