Fake Malicious Telegram Messenger App Spotted

A fake Telegram Messenger app has been discovered that is being used to hack PCs with the Purple Fox Malware.

Fake Malicious Telegram Messenger App Spotted
Fake Malicious Telegram Messenger App Spotted | Image Credits: Teller Report

The Purple Fox backdoor is being distributed on compromised PCs using Telegram installers that have been infected with a Trojan, according to The Hacker News.

As Minerva Labs explains in a new report, this type of assault is different from other incursions that often take advantage of legitimate software to drop harmful payloads.

Trend Micro researchers in collaboration with Purple Fox identified a.NET implant known as FoxSocket in October 2021. Purple Fox communicates with its command-and-control (C2) servers using WebSockets, which was detected in October 2021.

Trend Micro revealed the final stages of the Purple Fox infection chain in December 2021, which targeted SQL databases by inserting a malicious SQL common language runtime (CLR) module in order to achieve a persistent and stealthy execution and ultimately abuse the SQL servers for illicit cryptocurrency mining.

In addition to rootkit characteristics that allow it to evade detection and remain undiscovered by anti-virus software, Purple Fox was discovered in 2018. According to a Guardicore study published in March 2021, the backdoor's worm-like propagation capacity allows it to spread more fast than other backdoors.

The malware developer was able to conceal the most of the attack

Minerva has found an attack chain that begins with a Telegram installer file and finishes with a malicious downloader named "TextInputh.exe," which uses an AutoIt script to download additional malware from the C2 server. This is the first time that Minerva has discovered such an attack chain.

Downloaded files then continue their journey, first interfering with processes associated with various antivirus engines, then downloading and executing the Purple Fox rootkit from a distant server that is no longer available.

Cybersecurity researcher Natalie Zargov said, "This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection."