[MART] - Daily Diary #424 - New Campaign Delivers Purple Fox Through Fake Telegram Installer

CTAS-MAT ctas-mat at appgate.com
Tue Jan 4 20:58:47 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/01/2021 - Diary entry #424

First discovered in 2018, Purple Fox is a Rootkit/Backdoor made to attack, escalate privileges, get persistence and stealthily receive commands from a C&C server. Purple Fox installs a driver and modifies several files, with the goal of hiding its files, connections, and block the initiation of AV processes in the system.

This week a new campaign of Purple Fox was found, using a tampered Telegram Installer to attack windows systems.

In this campaign, the malware dropper is delivered through a fake Telegram installer. The file, named Telegram desktop.exe, creates a directory under the user's temporary folder, and drops the real telegram installer, along with an AutoIt Downloader. The AutoIt Downloader retrieves more files from a C&C server, being Purple Fox one of them. What is curious about this behavior is the amount of files downloaded. As the malware functions are spread into several files, it makes harder for AVs solutions to detect all the samples and block all the functionalities.

To be protected against this kind of attack, it's important to always double check any downloaded installer before executing it, making sure it's signed with a trusted entity (in this case, Telegram itself).

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220104/968fb4b6/attachment.htm>

More information about the MART mailing list