Fake Telegram Messenger Apps used to distribute Purple Fox malware

Telegram application installers distributed malware that further delivers malicious payloads on devices

Telegram installer dropped malwareFake Telegram app installer launched Purple Fox malware and huge load of other malicious processes undetected

Telegram for desktop installer spreads Purple Fox malware that has the function to further drop the malicious payloads on devices already infected.[1] The trojanized installer of the messaging application used to spread Windows-based backdoor malware on compromised machines.[2] new research revealed a campaign that is different than common attacks where the legitimate software is used for dropping the malware.[3]

The installer compiled the AutoIt script that dropped two files: the actual Telegram installer and the malicious downloader. The legitimate installer added is not executed, so the only program that is launched is the malicious downloader. Once executed, it creates folders and connects to the C2 servers to download archived files.

The Purple Fox files also managed to block processes related to antivirus engines before getting detected. A large number of malicious installers deliver the rootkit versions using the same attack chain. Some of them might be delivered via email and phishing websites. The attack is a set of processes, and each file is useless without the entire set. researchers say that it is the “beauty of this attack.”

According to the Minerva Labs report, the threat group managed to evade detection by separating the infection into several small files. Most of them had very low detection rates, and antivirus engines cannot indicate them as possibly malicious or risky. The final stage of the attack injects the Purple Fox rootkit.

Purple Fox malware is coming out with new functionalities

The particular malware has been known since 2018, and each year this infection comes out with new attacks where the program is evolved with new functions. it came out with rootkit capabilities and managed to silently infect machines, evade detection by security tools. In 2021, reports indicated new worm-like features.[4] The backdoor managed to spread more rapidly on the machines.

Later in 2021, Trend Micro researchers revealed the implant named FoxSocket deployed with Purple Fox that took advantage of WebSockets to contact c2 servers for more secure means of communications.

The rootkit capabilities of Purple Fox make it more capable of carrying out its objectives in a stealthier manner. They allow Purple Fox to persist on affected systems as well as deliver further payloads to affected systems.

At the end of the year, later stages of the infection chain got analyzed. The malware targeted SQL databases by inserting a malicious SQL common language runtime module. This way, malware achieved persistence, and execution helped to abuse the SQL servers for cryptocurrency mining.

Yet another Telegram app abuse

Attackers soften abuse applications and especially tend to abuse apps that are for messaging and social media, or cryptocurrency. There are many details that can be stolen, personal information that once obtained by attackers can be either sold for huge amounts or used in later scams and campaigns. Telegram applications have been used in various campaigns.

telegram handle Smokes Night was used to spread the malicious Echelon info stealer that focused on credentials for cryptocurrency wallet accounts. The sample was posted on the Telegram channel focused on cryptocurrency back in October 2021. The malware targeted file-sharing and messaging apps like Discord Edge, FileZilla, OpenVPN, Outlook, and Telegram itself.[5]

It was the campaign targeting the new or naive users on a particular channel. Attackers managed to distribute the information stealer in a RAR file that included three files. One of them was the malicious executable for Echelon credential stealer malware.

The payload included additional features that helped to avoid detection. These functionalities also act as anti-debugging features that terminate the process if a debugger or malware analysis tools are detected. But researchers finally managed to de-obfuscate the code and check the sample fully.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions