Purple Fox malware distributed by way of malicious Telegram installers

A malicious Telegram for Desktop installer distributes the Purple Fox malware to put in additional malicious payloads on contaminated units.

The installer is a compiled AutoIt script named “Telegram Desktop.exe” that drops two recordsdata, an precise Telegram installer, and a malicious downloader.

Whereas the official Telegram installer dropped alongside the downloader is not executed, the AutoIT program does run the downloader (TextInputh.exe).

When TextInputh.exe is executed, it should create a brand new folder (“1640618495”) underneath “C:UsersPublicVideos” and hook up with the C2 to obtain a 7z utility and a RAR archive (1.rar).

The archive incorporates the payload and the configuration recordsdata, whereas the 7z program unpacks all the things onto the ProgramData folder.

As detailed in an evaluation by Minerva Labs, TextInputh.exe performs the next actions onto the compromised machine:

• Copies 360.tct with “360.dll” title, rundll3222.exe, and svchost.txt to the ProgramData folder
• Executes ojbk.exe with the “ojbk.exe -a” command line
• Deletes 1.rar and 7zz.exe and exits the method

Subsequent, a registry key’s created for persistence, a DLL (rundll3222.dll) disables UAC, the payload (scvhost.txt) is executed, and the next 5 extra recordsdata are dropped onto the contaminated system:

1. Calldriver.exe
2. Driver.sys
3. dll.dll
4. kill.bat
5. speedmem2.hg 

The aim of those additional recordsdata is to collectively block the initiation of 360 AV processes and stop the detection of Purple Fox on the compromised machine.

The following step for the malware is to collect fundamental system info, examine if any safety instruments are working on it, and at last ship all that to a hardcoded C2 tackle.

As soon as this reconnaissance course of is accomplished, Purple Fox is downloaded from the C2 within the type of an .msi file that incorporates encrypted shellcode for each 32 and 64-bit methods.

Upon execution of Purple Fox, the contaminated machine will probably be restarted for the brand new registry settings to take impact, most significantly, the disabled Person Account Management (UAC).

To attain this, the dll.dll file units the next three registry keys to 0:

1. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem ConsentPromptBehaviorAdmin 
2. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA 
3. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemPromptOnSecureDesktop

Disabling bypassing UAC is important as a result of it provides any program that runs on the contaminated system, together with viruses and malware, administrator privileges.

Typically, UAC prevents the unauthorized set up of apps or the altering of system settings, so it ought to keep lively on Home windows always.

Disabling it permits Purple Fox to carry out malicious features similar to file search and exfiltration, course of killing, deletion of information, downloading and working code, and even worming to different Home windows methods.

At the moment, it’s unknown how the malware is being distributed however related malware campaigns impersonating official software program had been distributed by way of YouTube movies, discussion board spam, and shady software program websites.