Beware of fake Telegram Messenger App Hacking PCs with Purple Fox Malware

“This threat actor was able to keep most of the attack under the radar by breaking the attack down into several small files, most of which had very low detection rates by the [antivirus] engines, the last step leading Purple Fox rootkit infection, said researcher Natalie Zargarov.

First discovered in 2018, Purple Fox comes with rootkit capabilities that allow the malware to be planted beyond the reach of security solutions and evade detection. A March 2021 report from Guardicore detailed its worm-like propagation feature, enabling the backdoor to spread more rapidly.

Then, in October 2021, Trend Micro researchers discovered a .NET implant dubbed FoxSocket distributed in partnership with Purple Fox that uses WebSockets to contact its command and control (C2) servers for a more secure way to establish communications.

“The capabilities of the Purple Fox rootkit make it more capable of achieving its goals in a more stealthy manner,” the researchers noted. “They allow Purple Fox to persist on affected systems and deliver additional payloads to affected systems.

Last but not least, in December 2021, Trend Micro also shed light on the later stages of the Purple Fox infection chain, targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to achieve a persistent and stealthier execution and ultimately abuse the SQL servers for illicit cryptocurrency mining.

The new chain of attacks observed by Minerva begins with a Telegram installer file, an AutoIt script that publishes a legitimate installer for the chat app, and a malicious downloader called “TextInputh.exe”, the latter being executed to retrieve the next malware from the C2 server.