Beware of fake Telegram Messenger App Hacking PCs with Purple Fox Malware


Telegram messaging app Trojan installers are used to deploy Windows-based Purple Fox backdoor to a compromised system. That’s according to new research published by Minerva Labs, which describes attacks as different from intruders who exploit legitimate software to release malicious payloads in general.

“This dangerous actor was able to break the attack into many small files and keep most of the attacks under the radar, most of which had very low detection rates. [antivirus] The engine is the last step in the Purple Fox rootkit infection, said researcher Natalie Zargarov.

First discovered in 2018, Purple Fox comes with rootkit capabilities that allow malware to be planted out of reach of security solutions and avoid detection. Guardicor’s March 2021 report details its worm-like propagating properties, which enable the back door to spread more quickly.

Then, in October 2021, Trend Micro researchers discovered a FoxSocket dubbed .NET implant distributed in partnership with Purple Fox that uses WebSockets to communicate more securely with its command and control (C2) servers to establish communication.

“The capabilities of the Purple Fox rootkit enable it to achieve its goals more secretly,” the researchers noted. “They allow Purple Fox to continue on the affected systems and deliver additional payloads to the affected systems.

Finally, but not least, in December 2021, Trend Micro also highlighted the later stages of the Purple Fox infection chain, creating SQL databases by introducing malicious SQL Common Language Runtime (CLR) modules to achieve consistent and covert execution and ultimately abuse. SQL Servers for Illegal Cryptocurrency Mining.


The new chain of attacks observed by Minerva begins with the Telegram installer file, an AutoIt script that publishes a legitimate installer for the chat application, and begins with a malicious downloader named “TextInputh.exe”, which is run to retrieve subsequent malware. C2 server.

The downloaded files then block the processes associated with the various antivirus engines that are now down, before proceeding to the final stage of downloading and running the Purple Fox rootkit from the remote server. Installers that provide a similar version of the Purple Fox rootkit using Attack Chain, “Zargarov said.

“Some appear to have been delivered via email, while others, we assume, were downloaded from phishing websites. The beauty of this attack is that each step is different for a separate file, which is unnecessary without all the files.

Source: The Hacker News

Similar Posts

Leave a Reply

Your email address will not be published.