On infected PCs, Trojanized Telegram chat app installers are being used to disseminate the Windows-based Purple Fox backdoor.
According to recent research from Minerva Labs, the attack differs from other types of intrusions that often exploit legitimate software to deliver harmful payloads.
"By separating the attack into considerable little files, the majority of which had very low detection speeds by engines, with the last stage leading to Purple Fox rootkit infection," said researcher Natalie Zargarov.
Purple Fox was identified in 2018 and possesses rootkit characteristics, allowing it to elude detection by being planted outside the reach of security solutions. In a March 2021 study, Guardicore described its worm-like propagation function, which allows the backdoor to proliferate faster.
Then, in October 2021, Trend Micro researchers uncovered FoxSocket, a.NET implant used in conjunction with Purple Fox to interact with its command-and-control (C2) servers using WebSockets for a more secure method of communication.
The researchers concluded, "Purple Fox stays on impacted systems longer and delivers extra payloads."
Finally, in December 2021, Trend Micro revealed the Purple Fox infection chain's later stages, which include targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to gain a steady and stealthier performance and eventually abusing SQL servers for illicit cryptocurrency mining.
Minerva identified a new attack chain that starts with a Telegram installer file, an AutoIt script that drops a legal Telegram installer, and a malicious downloader called "TextInputh.exe," which is used to download next-stage malware from the C2 server.
Following that, the downloaded files disable antivirus engine processes before moving on to the last stage, which involves downloading and executing the Purple Fox rootkit from a now-defunct remote server.
"We detected a huge number of malware installers that used the same attack chain to deploy the same Purple Fox rootkit version," Zargarov added.”The attack's beauty is that each stage is segregated into its own file, leaving it unusable without the complete file set."
Every business faces daunting challenges when it comes to protecting its assets:
Threats that are new and evolving
Regulations governing privacy and compliance
The increased risk associated with digital transformation
With hundreds of point-solution dealers and cheap, inadequate tools, companies face a cyber security dilemma that can only be solved by a truly integrated cyber defense.
Airzero Sec is driving innovation to assist you in overcoming your most difficult challenges. If you have any questions about the fake telegram messenger app. Contact us through the given email.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/