Security researchers have recently observed a malware distribution of Purple Fox Backdoor through trojanized installers of the Telegram messaging application.

Based on the report of Minerva Labs (https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit), this threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection. 

______________________________

A. Nature of Attack

The malicious Telegram installer is compiled using AutoIt with the script called “Telegram Desktop.exe”. This is only the first stage of the attack which will create a new folder named “TextInputh” and will drop a malicious downloader called TextInputh.exe.Once the malicious downloader has been executed, it will try to connect to the C&C server to download the next-stage malware. Next, the malware will check and block if there are processes associated with different antivirus before advancing to the final stage to execute the Purple Fox Rootkit.   

______________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Having an anti-virus software and/or host-based detection tool running with the latest version is a must.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official Advisory(https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit)

______________________________

C. List of Indicators of Compromise (IOC)

Item TypeIndication value
Hashes41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1 Telegram Desktop.exe
HashesBAE1270981C0A2D595677A7A1FEFE8087B07FFEA061571D97B5CD4C0E3EDB6E0TextInputh.exe
Hashesaf8eef9df6c1f5645c95d0e991d8f526fbfb9a368eee9ba0b931c0c3df247e41Legitimate Telegram Installer
Hashes797a8063ff952a6445c7a32b72bd7cd6837a3a942bbef01fc81ff955e32e7d0c1.rar
Hashes07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd567zz.exe
Hashes26487eff7cb8858d1b76308e76dfe4f5d250724bbc7e18e69a524375cee11fe4360.tct
Hashesb5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3eojbk.exe
Hashesb5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3erundll3222.exe – legitimate rundll32.exe
Hashes0937955FD23589B0E2124AFEEC54E916svchost.txt
Hashese2c463ac2d147e52b5a53c9c4dea35060783c85260eaac98d0aaeed2d5f5c838Calldriver.exe
Hashes638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60Driver.sys
Hashes4bdfa7aa1142deba5c6be1d71c3bc91da10c24e4a50296ee87bf2b96c731b7fadll.dll
Hashes24BCBB228662B91C6A7BBBCB7D959E56kill.bat
Hashes599DBAFA6ABFAF0D51E15AEB79E93336speedmem2.hg
IP193.164.223[.]77  C&C Server – 2nd stage
IP144.48.243[.]79   C&C Server – Last Stage
URLhxxp://193.164.223[.]77:7456/h?=1640618495Contains 1.rar file
URLhxxp://193.164.223[.]77:7456/77Contains 7zz/exe file
URLhxxp://144.48.243[.]79:17674/C558B828.PngPurple Fox Rootkit