Researchers Warn of Purple Fox Rootkit Nested in Fake Telegram Installers

Earlier this week, researchers with Israeli security company Minerva Labs discovered a new campaign that is distributing the Purple Fox rootkit. This time, the threat actors behind the campaign are hiding the malware in fake Telegram desktop client installers, and doing it reasonably well, according to the research.

Purple Fox Evolves Yet Again

The Purple Fox malware went through several iterations and changes over the years. Discovered as fileless malware with a rootkit payload a few years ago, the malware used various propagation techniques over time. Those ranged from the addition of wormlike capabilities and backdoor functionality to attempting server message block brute force attacks.

In this latest campaign, Minerva Labs have examined the malicious installer named Telegram desktop.exe. The team found that the executable was really a script compiled using AutoIt - a freeware language initially used for automation in Windows software.

The first step of the attack is the script making a new "TextInputh" folder on the victim's hard drive, located under %localappdata%, in the Temp folder. In that folder, a legitimate Telegram installer is deployed, but never executed, along with a malware downloader named TextInputh.exe.

Upon execution, the downloaded makes a new directory under Users\Public\Videos\ and gives it a numeric string as a name. A compressed .rar file and a legitimate 7zip decompression tool are then downloaded into the new folder, through the TextInputh executable, which contacts the malware's C2 servers.

The compressed file contains an executable, a DLL file, and a svchost.txt file. The executable is used to load the DLL, which in turn reads the txt file. The .txt file is used for further registry checks and deploying additional malicious files.

Flying Under the Radar

According to Minerva, this fragmented, multi-file approach that also goes through a large number of steps, is what allowed this campaign to fly relatively low under the radar and dodge detection for some time. The individual files used in the infection chain have very low detection rates, which contributed to the campaign's success. According to researchers, the different fragmented sets of files are "useless" on their own, but work when the entire set is put together.