Light Dark
February 9, 2022 By David Bisson 2 min read
News

Threat actors leveraged a malicious Telegram installer to infect users with the Purple Fox rootkit.

A case study in evasion

With the help of MalwareHunterTeam, Minerva Labs looked into a malicious Telegram installer and found that it was a compiled AutoIt script called ‘Telegram Desktop.exe.’

The script created a new folder and dropped both a legitimate Telegram installer and a malicious downloader into it. The former didn’t factor into the attack chain. The same can’t be said about the latter, however.

Upon execution, the malicious downloader contacted a command and control (C&C) server and downloaded two files into a newly created folder. One of those resources, ‘7zz.exe,’ contained another file called ‘ojbke.exe’ that, when run with the ‘-a’ argument, reflectively loaded a DLL file.

This item led the attack flow to use some more files for the purpose of shutting down antivirus processes. It was then that the campaign took advantage of its C&C server to gather the hostname, CPU and other information from a victim.

It also checked to see if various antivirus solutions were running on the victim’s machine. At that point, the campaign delivered all that data to the C&C server.

The server was down at the time of Minerva Labs’ analysis. But upon reviewing the IP address, the researchers found that the attack concluded by downloading and running Purple Fox. Further review revealed that malicious installers were delivering the same rootkit via email, presumably from phishing websites.

Other recent attack attempts involving Purple Fox

The attack campaign discussed above wasn’t the first time that the Purple Fox rootkit made news in the past few years. In September 2019, researchers witnessed the RIG exploit kit sending out a new Purple Fox variant. The threat used one of three methods to redirect visitors to a malicious PowerShell command for the purpose of installing the rootkit.

In 2021, Guardicore Labs detected an active malware campaign targeting Windows machines. This operation differed from previous attacks involving Purple Fox in that it didn’t leverage phishing emails or exploit kits. Instead, it used SMS password brute forcing, a tactic which enabled the rootkit to propagate as a worm across web-facing Windows machines.

How to defend against Purple Fox attack attempts

Businesses can defend against the Purple Fox attack attempts discussed above by investing in their anti-phishing measures. Those defenses include using awareness training to cultivate employees’ knowledge of new phishing attack campaigns. They also consist of using URL blocking, spam controls, multifactor authentication and other technical defensive measures.

At the same time, businesses and agencies need to minimize the risk of attackers using exploit kits and SMS vulnerabilities to infect them with threats like Purple Fox. They can do this by prioritizing and remediating vulnerabilities affecting their systems using a vulnerability management program.

 |  |  | 
David Bisson
Contributing Editor

More from News
May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

April 29, 2024

The major hardware flaw in Apple M-series chips

3 min read - The “need for speed” is having a negative impact on many Mac users right now. The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP). DMP’s benefits and vulnerabilities DMP predicts memory addresses that the…

April 22, 2024

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role. “In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature