A malicious Telegram instant-messaging app installer scurries past a slew of antivirus (AV) engines to deliver Purple Fox malware, evading detection by separating the attack into bite-sized morsels that fly under the radar.
In a Monday report, Minerva Labs said that the attack evades detection by AV products from the likes of Avira, ESET, Kaspersky, McAfee, Panda, Trend Micro, Symantec and many more.
“We have often observed threat actors using legitimate software for dropping malicious files,” analysts wrote. “This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.”
The malicious installer, bearing the familiar Telegram icon of a white paper plane, is actually a compiled AutoIt script called “Telegram Desktop.exe.” The installer creates a new folder named “TextInputh” under C:\Users\Username\AppData\Local\Temp\. It drops two files into the folder: an actual Telegram installer (which isn’t executed), and a malicious downloader, TextInputh.exe.
The malicious downloader, TextInputh.exe, creates a new folder named “1640618495” under the C:\Users\Public\Videos\ directory. In the next stage of the attack, the executable contacts a command-and-control (C2) server – a C2 that was already down at the time of investigation – and downloads two files to the new folder: a legitimate 7z archiver and a RAR archive (1.rar).
The 1.rar archive contains the payload and the configuration files, as shown in the image below. The 7z program unpacks everything onto the ProgramData folder.
TextInputh.exe then performs these actions on infected machines:
- Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder
- Executes ojbk.exe with the “ojbk.exe -a” command line
- Deletes 1.rar and 7zz.exe and exits the process
Next, a registry key is created for persistence, a DLL (rundll3222.dll) disables Microsoft’s User Account Control (UAC) malware-inhibiting security control, the payload (svchost.txt) is executed, and these five additional files are dropped onto the infected system:
- Calldriver.exe
- Driver.sys
- dll.dll
- kill.bat
- speedmem2.hg
UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, applications or malware. Bypassing UAC is a key function that’s regularly coded into malware. With UAC out of the picture, any programs that run on an infected system – including viruses and malware – are free to gain administrator privileges.
Small Files Cluster-Block 360 AV
The five files that fly under the radar “work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox rootkit, in our case) to run without being detected,” according to Minerva Labs’ writeup.
“The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set,” according to the report. “This helps the attacker protect his files from AV detection.”
After blocking 360 AV, the malware then gathers the following list of system information, checks to see if a long list of security tools are running, and, finally, sends all the information to a hardcoded C2 address.
- Hostname
- CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
- Memory status
- Drive Type
- Processor Type – by calling GetNativeSystemInfo and checking the value of wProcessorArchitecture.
The Latest Bite from the Rabid Purple Fox
Purple Fox, which first appeared in 2018, is a malware campaign that up until March required user interaction or some kind of third-party tool to infect Windows machines. Last spring, the attackers behind the campaign skipped over that crutch by empowering the malware with the ability to brute force its way into victims’ systems on its own, according to research from Guardicore Labs. At the same time, Purple Fox was outfitted with a rootkit that allowed it to burrow in, evade detection and establish persistence.
Minerva Labs said that it found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It’s not entirely clear how it’s being distributed, though analysts believe that some were delivered via email, while others were presumably downloaded from phishing sites.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.