It has become routine for cybercriminals to spread their customized malware via fake mobile applications. Security experts from Minerva Labs recently found threat actors leveraging malicious Telegram applications to distribute customized malware dubbed Purple Fox on targeted devices.
“This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection,” the researchers said.
Purple Fox Infection
The malicious Telegram installer is a compiled AutoIt freeware script called Telegram Desktop.exe, which creates a new folder named TextInputh under C:\Users\Username\AppData\Local\Temp\ and drops a legitimate Telegram installer and a malware downloader file TextInputh.exe. The TextInputh.exe file acts as a downloader of additional payloads for the next attack stage that installs Purple Fox Rootkit without being detected.
Usually, rootkits allow remote hackers to access the operating system on the infected machine illicitly. Threat actors could monitor and steal sensitive information leveraging rootkits.
The information gathered by Purple Fox include:
- Hostname
- CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
- Memory status
- Drive Type
- Processor Type
Also Read: How to Spot Malicious or Fake Apps
“We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites. The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set. This helps the attacker protect his files from AV detection,” researchers added.
New Malware Variants on the Rise
Despite several security measures, threat actors managed to spread various malware variants. A recent analysis uncovered an info-stealing malware dubbed Redline targeting web browsers like Opera, Chrome, and Edge to harvest login credentials. According to a report from AhnLab ASEC, the Redline malware campaign targets users who enable the auto-login feature on their browsers. Active since 2020, when Redline Stealer first appeared on the Russian darknet forum, the malware is peddling for $150-$200, allowing bad actors to leverage it. Read More Here…