Purple Fox rootkit discovered in malicious Telegram installers

Slicing up files allows the malware to stay under the radar.
Written by Charlie Osborne, Contributing Writer

Researchers have warned that the Purple Fox rootkit is now being distributed through malicious, fake Telegram installers online. 

This week, the Minerva Labs cybersecurity team, working with MalwareHunterTeam, said that Purple Fox is being disguised through a file named "Telegram Desktop.exe." Those that believe they are installing the popular messaging service are, instead, becoming laden with the malware -- and the infection process has made it more difficult to detect. 

First discovered in 2018, Purple Fox has been spread through a variety of means, including phishing emails, malicious links, and exploit kits. However, in the past few years, distribution methods have expanded to include compromising vulnerable internet-facing services, exposed SMB services, and fake installers. 

The malicious Telegram installer has been developed as a compiled AutoIt script. Upon execution, a legitimate Telegram installer is dropped – but never used – together with a malicious downloader called TextInputh.exe. 

The attack is then separated into several small files, a technique that Minerva says allowed the threat actor to stay under the radar – and most of the files "had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection."

TextInputh.exe creates a new folder and connects to the malware's command-and-control (C2) server. Two new files are then downloaded and executed, which unpack .RAR archives and a file used to load a malicious reflectively.DLL.

A registry key is created to enable persistence on an infected machine, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide range of antivirus processes before Purple Fox is finally deployed.

The Purple Fox Trojan comes in both 32-bit and 64-bit Windows variants. In March last year, Guardicore Labs found new worm capabilities had been integrated into the malware, and thousands of vulnerable servers had been hijacked to host Purple Fox payloads. 

By October, Trend Micro uncovered a new .net backdoor, dubbed FoxSocket, which is believed to be a new addition to the malware's existing capabilities. 

Given that the malware now contains a rootkit, worm functionality, and has been upgraded with a more robust backdoor, the inclusion of a stealthier infection process means that cybersecurity researchers will likely be keeping a close eye on this malware's future development. 

"The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set," the team noted. "This helps the attacker protect his files from AV detection."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards