According to researchers, installers of the Telegram app are used to distribute malicious backdoor on compromised systems. Read on to know more…
Cybersecurity researchers have cautioned that fake Telegram Messenger apps are currently infecting devices, including PCs, with a Windows-based malware that can affect your information and is evasive of the anti-malwares that is installed on systems.
The report on fake Telegram messenger apps was published by Minerva Labs, which was found in 2014 by former officers who served in elite cyber forces of the Israeli Defence Forces. According to researchers of Minerva Labs, fake Telegram messaging app installers are being used to distribute the Windows-based ‘Purple Fox’ backdoor on hacked systems.
The researchers noted that “We found a large number of malicious installers delivering the same ‘Purple Fox’ rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites,” said researcher Natalie Zargarov.
“The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set. This helps the attacker protect his files from AV (anti-virus) detection,”
Observations
During the investigation, the researchers discovered that the threat actor was able to hide the major parts of the malware code by dividing it into multiple little files, the majority of which had very low detection rates by (antivirus) engines, “with the final stage leading to Purple Fox rootkit infection”.
According to thehackernews.com, ‘Purple Fox,’ which was first discovered in 2018, has rootkit capabilities that enables the malware to be planted beyond the reach of anti-virus programs.
Trend Micro researchers discovered a.NET implant called FoxSocket that was used in conjunction with Purple Fox in October 2021.
The researchers noted that “The rootkit capabilities of Purple Fox make it more capable of carrying out its objectives in a stealthier manner,”
“They allow Purple Fox to persist on affected systems as well as deliver further payloads to affected systems.”
Zargarov stated that they have frequently noticed threat actors using legitimate software for dropping malicious files.
The researchers observed “This time, however, is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection,”
Technical Functionalities
TextInputh.exe creates a new folder and establishes a connection with the malware’s command-and-control (C2) server. After that, two new files are downloaded and executed, one to unpack.RAR archives and the other to load a malware reflectively. DLL.
Before Purple Fox is fully deployed, a registry key is created to enable persistence on an infected PC, and five other files are dropped into the ProgramData folder to execute functions such as shutting off a wide range of antivirus services.
Both 32-bit and 64-bit Windows variants of the Purple Fox Trojan are discovered by the researchers. Guardicore Labs discovered new worm capabilities in the malware in March of last year, and thousands of vulnerable servers had been hijacked to host Purple Fox payloads.