Security researchers have recently observed a malware distribution of Purple Fox Backdoor through trojanized installers of the Telegram messaging application.
Based on the report of Minerva Labs (https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit), this threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.
A. Nature of Attack
The malicious Telegram installer is compiled using AutoIt with the script called “Telegram Desktop.exe”. This is only the first stage of the attack which will create a new folder named “TextInputh” and will drop a malicious downloader called TextInputh.exe.Once the malicious downloader has been executed, it will try to connect to the C&C server to download the next-stage malware. Next, the malware will check and block if there are processes associated with different antivirus before advancing to the final stage to execute the Purple Fox Rootkit.
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Having an anti-virus software and/or host-based detection tool running with the latest version is a must.
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
- In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
- For additional information, kindly refer to the official Advisory(https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit)
C. List of Indicators of Compromise (IOC)
|Item Type||Indication value|
|Hashes||af8eef9df6c1f5645c95d0e991d8f526fbfb9a368eee9ba0b931c0c3df247e41||Legitimate Telegram Installer|
|Hashes||b5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3e||rundll3222.exe – legitimate rundll32.exe|
|IP||193.164.223[.]77||C&C Server – 2nd stage|
|IP||144.48.243[.]79||C&C Server – Last Stage|
|URL||hxxp://193.164.223[.]77:7456/h?=1640618495||Contains 1.rar file|
|URL||hxxp://193.164.223[.]77:7456/77||Contains 7zz/exe file|
|URL||hxxp://144.48.243[.]79:17674/C558B828.Png||Purple Fox Rootkit|