
Threat actors are using weaponized installers of the Telegram messaging application to deliver the Purple Fox backdoor on Windows systems. Researchers pointed out that this campaign, unlike similar ones leveraging legitimate software to deliver malware, has a very low detection rate.
We have often observed threat actors using legitimate software for dropping malicious files. This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.
Researchers Statement
The Purple Fox malware was first discovered in March 2018, it is distributed in the form of malicious “.msi” packages that were found by the experts on nearly 2,000 compromised Windows servers. The installer will extract the payloads and decrypt them from within the MSI package.
The installer analyzed is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows GUI and general scripting) script named “Telegram Desktop.exe.” Upon executing the script, it creates a new folder named “TextInputh” under C:\Users\Username\AppData\Local\Temp\ and drops a legitimate Telegram installer and a malicious downloader (TextInputh.exe).
When executed, TextInputh.exe creates a folder named “1640618495” under the C:\Users\Public\Videos\ directory, then downloads the following files from the C2 to the newly created folder:
- 1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver.
- The 7zz.exe is used to unarchive 1.rar, which contains the following files:
Then the TextInputh.exe performs the following actions:
- Copies 360.tct with “360.dll” name, rundll3222.exe, and svchost.txt to the ProgramData folder
- Executes ojbk.exe with the “ojbk.exe -a” command line
- Deletes 1.rar and 7zz.exe and exits the ojbk.exe process
The attack chain continues by dropping five more files into the ProgramData folder:
- Calldriver.exe – this file is used to shut down and block initiation of 360 AV
- Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder
- dll.dll – executed after UAC bypass. T
- kill.bat – a batch script which is executed after the file drop ends.
- speedmem2.hg – SQLite file
The above files are used block the initiation of 360 AV processes and prevent the detection of final payloads, the Purple Fox backdoor. Then the malware gathers basic system information, checks for any security tools running on the compromises system, and sends them to a hardcoded C2. In the final phase, Purple Fox is downloaded from the C2 as an .msi file that contains encrypted shellcode for both 32 and 64-bit systems.
Purple Fox disable UAC to perform a broad range of malicious activities such as killing processes and downloading and executing additional payloads.
Indicators of Compromise