September 27, 2023

Threat actors are using weaponized installers of the Telegram messaging application to deliver the Purple Fox backdoor on Windows systems. Researchers pointed out that this campaign, unlike similar ones leveraging legitimate software to deliver malware, has a very low detection rate.

We have often observed threat actors using legitimate software for dropping malicious files. This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.

Researchers Statement

The Purple Fox malware was first discovered in March 2018, it is distributed in the form of malicious “.msi” packages that were found by the experts on nearly 2,000 compromised Windows servers. The installer will extract the payloads and decrypt them from within the MSI package.

The installer analyzed is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows GUI and general scripting) script named “Telegram Desktop.exe.” Upon executing the script, it creates a new folder named “TextInputh” under C:\Users\Username\AppData\Local\Temp\  and drops a legitimate Telegram installer and a malicious downloader (TextInputh.exe). 

When executed, TextInputh.exe creates a folder named “1640618495” under the C:\Users\Public\Videos\ directory, then downloads the following files from the C2 to the newly created folder:  

  1. 1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver. 
  2. The 7zz.exe is used to unarchive 1.rar, which contains the following files: 

Then the TextInputh.exe performs the following actions:

  • Copies 360.tct with “360.dll” name, rundll3222.exe, and svchost.txt to the ProgramData folder
  • Executes ojbk.exe with the “ojbk.exe -a” command line
  • Deletes 1.rar and 7zz.exe and exits the ojbk.exe process

The attack chain continues by dropping five more files into the ProgramData folder: 

  • Calldriver.exe – this file is used to shut down and block initiation of 360 AV
  • Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder 
  • dll.dll – executed after UAC bypass. T
  • kill.bat – a batch script which is executed after the file drop ends.
  • speedmem2.hg – SQLite file

The above files are used block the initiation of 360 AV processes and prevent the detection of final payloads, the Purple Fox backdoor. Then the malware gathers basic system information, checks for any security tools running on the compromises system, and sends them to a hardcoded C2. In the final phase, Purple Fox is downloaded from the C2 as an .msi file that contains encrypted shellcode for both 32 and 64-bit systems.

Purple Fox disable UAC to perform a broad range of malicious activities such as killing processes and downloading and executing additional payloads.

Indicators of Compromise

TypeValue
IPv477.236.130.107
IPv465.222.221.216
IPv465.113.192.79
IPv457.167.200.174
IPv4180.68.57.112
IPv4120.253.201.237
URLhttp://98.126.51.2:16976
URLhttp://95.173.179.216:16942
URLhttp://95.173.163.137:13036
URLhttp://95.173.149.209:19850
URLhttp://95.161.197.174:16553
URLhttp://95.111.242.99:19567
URLhttp://95.110.228.4:12540
URLhttp://95.0.194.245:17859
URLhttp://94.143.51.3:18317
URLhttp://94.140.199.143:13618
URLhttp://93.182.40.32:19241
URLhttp://93.170.13.7:18066
URLhttp://92.241.102.207:19643
URLhttp://92.222.217.185:17602
URLhttp://92.118.151.103:19913
URLhttp://92.118.151.102:19818
URLhttp://91.90.195.224:17196
URLhttp://91.90.195.15:13446
URLhttp://91.232.157.156:14833
URLhttp://91.232.134.143:13594
URLhttp://91.215.222.66:19002
URLhttp://91.204.227.163:15522
URLhttp://91.144.21.202:19140
URLhttp://89.104.127.170:16148
URLhttp://88.204.158.206:19569
URLhttp://88.150.230.114:10883
URLhttp://87.228.241.44:12773
URLhttp://86.104.14.30:18644
URLhttp://85.234.12.242:17742
URLhttp://85.185.248.17:15328
URLhttp://85.172.206.33:19709
URLhttp://84.51.18.132:12509
URLhttp://82.129.219.101:19748
URLhttp://81.211.112.198:18795
URLhttp://81.1.245.106:10130
URLhttp://80.245.107.3:18880
URLhttp://80.241.245.45:13061
URLhttp://80.179.157.4:11833
URLhttp://79.133.160.199:18907
URLhttp://79.111.12.111:10518
URLhttp://77.242.21.249:17964
URLhttp://77.235.23.214:16860
URLhttp://74.81.34.240:17682
URLhttp://74.202.94.211:16774
URLhttp://72.167.20.122:11563
URLhttp://70.73.10.75:17209
URLhttp://69.46.80.50:14298
URLhttp://68.68.203.40:11593
URLhttp://68.116.4.158:14966
URLhttp://67.79.67.90:18650
URLhttp://67.221.36.45:12829
URLhttp://67.198.185.210:19958
URLhttp://66.42.107.227:17280
URLhttp://66.212.31.250:17997
URLhttp://66.172.62.33:19549
URLhttp://66.172.62.188:17829
URLhttp://64.56.65.9:17999
URLhttp://64.56.65.8:17147
URLhttp://64.56.65.7:18581
URLhttp://64.56.65.72:16945
URLhttp://64.56.65.6:16024
URLhttp://64.56.65.5:13467
URLhttp://64.56.65.4:10910
URLhttp://64.56.65.40:11440
URLhttp://64.56.65.120:11390
URLhttp://64.56.65.119:11295
URLhttp://64.56.65.118:11200
URLhttp://64.56.65.117:11106
URLhttp://64.56.65.116:11011
URLhttp://64.56.65.115:10916
URLhttp://64.56.65.114:10821
URLhttp://64.56.65.113:10727
URLhttp://64.56.65.112:10632
URLhttp://64.56.65.111:10537
URLhttp://64.56.65.110:10443
URLhttp://64.32.6.98:19385
URLhttp://64.32.30.130:12324
URLhttp://64.188.30.73:17027
URLhttp://64.188.21.55:15654
URLhttp://63.209.0.101:19667
URLhttp://62.68.50.134:12710
URLhttp://62.64.11.135:12790
URLhttp://62.150.79.106:20170
URLhttp://61.48.20.58:16504
URLhttp://61.37.59.252:18064
URLhttp://61.37.59.251:18032
URLhttp://61.244.112.239:17660
URLhttp://61.220.191.235:17543
URLhttp://61.216.99.162:15380
URLhttp://61.191.137.138:13121
URLhttp://61.19.30.72:16932
URLhttp://61.19.30.156:14786
URLhttp://61.189.234.19:16986
URLhttp://61.185.216.22:19483
URLhttp://61.183.74.26:17574
URLhttp://61.183.15.47:13374
URLhttp://61.182.245.27:18048
URLhttp://61.181.77.83:17991
URLhttp://61.178.29.225:17208
URLhttp://61.177.172.73:17079
URLhttp://61.177.172.12:10813
URLhttp://61.174.50.5:13321
URLhttp://61.166.143.127:12082
URLhttp://61.164.79.174:16509
URLhttp://61.164.161.91:18780
URLhttp://61.160.221.54:15592
URLhttp://61.159.167.45:12974
URLhttp://61.156.239.37:10781
URLhttp://61.155.84.13:11372
URLhttp://61.153.106.29:18462
URLhttp://61.153.103.87:18380
URLhttp://61.152.144.97:19342
URLhttp://61.147.70.67:19117
URLhttp://61.147.204.122:11631
URLhttp://61.147.167.252:18077
URLhttp://61.147.116.201:19080
URLhttp://61.147.108.92:18855
URLhttp://61.147.103.22:19107
URLhttp://61.138.28.45:12820
URLhttp://61.136.101.178:16896
URLhttp://61.131.147.97:19343
URLhttp://61.129.70.32:19274
URLhttp://61.129.70.155:14706
URLhttp://61.129.51.29:18401
URLhttp://61.129.33.230:17366
URLhttp://61.111.18.48:13661
URLhttp://61.111.14.122:11560
URLhttp://60.8.55.27:17836
URLhttp://60.8.177.242:17762
URLhttp://60.8.177.210:19955
URLhttp://60.6.206.44:12733
URLhttp://60.5.93.147:13957
URLhttp://60.5.92.47:13459
URLhttp://60.5.90.175:16608
URLhttp://60.5.157.128:12181
URLhttp://60.255.51.211:16768
URLhttp://60.255.176.84:18123
URLhttp://60.255.176.78:17554
URLhttp://60.255.144.162:15397
URLhttp://60.255.139.167:15869
URLhttp://60.251.80.78:17519
URLhttp://60.251.80.77:17424
URLhttp://60.250.98.42:12046
URLhttp://60.250.86.20:17347
URLhttp://60.250.110.35:20171
URLhttp://60.247.81.120:11396
URLhttp://60.22.91.164:15566
URLhttp://60.22.72.185:17548
URLhttp://60.216.24.93:18919
URLhttp://60.216.24.92:18824
URLhttp://60.216.103.190:18034
URLhttp://60.215.70.229:17339
URLhttp://60.214.107.91:18760
URLhttp://60.214.107.89:18571
URLhttp://60.214.107.2:18664
URLhttp://60.214.107.187:17751
URLhttp://60.214.107.158:15004
URLhttp://60.211.218.153:14572
URLhttp://60.211.181.178:16926
URLhttp://60.208.125.106:20187
URLhttp://60.207.83.238:17625
URLhttp://60.195.190.132:12573
URLhttp://60.194.65.243:17780
URLhttp://60.191.84.24:17017
URLhttp://60.191.236.86:18334
URLhttp://60.191.230.173:16470
URLhttp://60.191.230.14:12711
URLhttp://60.190.249.66:19032
URLhttp://60.190.202.44:12729
URLhttp://60.190.149.52:14943
URLhttp://60.190.114.207:19648
URLhttp://60.190.114.200:18985
URLhttp://60.19.250.79:17676
URLhttp://60.19.250.238:17645
URLhttp://60.19.250.211:16793
URLhttp://60.19.249.168:16004
URLhttp://60.179.110.57:16321
URLhttp://60.178.155.80:17736
URLhttp://60.178.153.3:19337
URLhttp://60.175.153.105:20103
URLhttp://60.174.95.143:13579
URLhttp://60.174.234.62:17879
URLhttp://60.174.234.44:12765
URLhttp://60.174.225.253:18116
URLhttp://60.174.224.161:15332
URLhttp://60.173.255.251:18056
URLhttp://60.173.161.70:16791
URLhttp://60.173.116.160:15197
URLhttp://60.170.76.30:18713
URLhttp://60.170.76.29:18429
URLhttp://60.169.30.159:15071
URLhttp://60.165.218.184:17508
URLhttp://60.164.191.22:19400

Leave a Reply

%d bloggers like this: