Multiple malicious installers were delivering the same Purple Fox rootkit version using the same attack chain, possibly distributed via email or phishing sites.

A malicious Telegram instant-messaging app installer scurries past a slew of antivirus (AV) engines to deliver Purple Fox malware, evading detection by separating the attack into bite-sized morsels that fly under the radar.

In a Monday report, Minerva Labs said that the attack evades detection by AV products from the likes of Avira, ESET, Kaspersky, McAfee, Panda, Trend Micro, Symantec and many more.

“We have often observed threat actors using legitimate software for dropping malicious files,” analysts wrote. “This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.”

, Purple Fox Rootkit Dropped by Malicious Telegram Installers, The Cyber Post

The malicious installer, bearing the familiar Telegram icon of a white paper plane, is actually a compiled AutoIt script called “Telegram Desktop.exe.” The installer creates a new folder named “TextInputh” under C:UsersUsernameAppDataLocalTemp. It drops two files into the folder: an actual Telegram installer (which isn’t executed), and a malicious downloader, TextInputh.exe.

, Purple Fox Rootkit Dropped by Malicious Telegram Installers, The Cyber Post

, Purple Fox Rootkit Dropped by Malicious Telegram Installers, The Cyber Post

Files dropped by compiled AutoIT. Source: Minerva Labs.

The malicious downloader, TextInputh.exe, creates a new folder named “1640618495” under the C:UsersPublicVideos directory. In the next stage of the attack, the executable contacts a command-and-control (C2) server – a C2 that was already down at the time of investigation – and downloads two files to the new folder: a legitimate 7z archiver and a RAR archive (1.rar).

The 1.rar archive contains the payload and the configuration files, as shown in the image below. The 7z program unpacks everything onto the ProgramData folder.

, Purple Fox Rootkit Dropped by Malicious Telegram Installers, The Cyber Post

Files contained in 1.rar. Source: Minerva Labs.

TextInputh.exe then performs these actions on infected machines:

  • Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder
  • Executes ojbk.exe with the “ojbk.exe -a” command line
  • Deletes 1.rar and 7zz.exe and exits the process
, Purple Fox Rootkit Dropped by Malicious Telegram Installers, The Cyber Post

Source: Minerva Labs.

Next, a registry key is created for persistence, a DLL (rundll3222.dll) disables Microsoft’s User Account Control (UAC) malware-inhibiting security control, the payload (svchost.txt) is executed, and these five additional files are dropped onto the infected system:

  1. Calldriver.exe
  2. Driver.sys
  3. dll.dll
  4. kill.bat
  5. speedmem2.hg

UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, applications or malware. Bypassing UAC is a key function that’s regularly coded into malware. With UAC out of the picture, any programs that run on an infected system – including viruses and malware – are free to gain administrator privileges.

Small Files Cluster-Block 360 AV

The five files that fly under the radar “work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox rootkit, in our case) to run without being detected,” according to Minerva Labs’ writeup.

“The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set,” according to the report. “This helps the attacker protect his files from AV detection.”

After blocking 360 AV, the malware then gathers the following list of system information, checks to see if a long list of security tools are running, and, finally, sends all the information to a hardcoded C2 address.

  1. Hostname
  2. CPU – by retrieving a value of HKLMHARDWAREDESCRIPTIONSystemCentralProcessor