Threat actors often add malware to software installers, so it is no surprise that researchers at Minerva Labs have discovered installers for legitimate software being used to deliver the Purple Fox rootkit, but what makes this campaign different is the techniques used allow the threat actors to evade most AV engines. Most of the attack is kept under the radar and it has low detection rates by AV engines.
The Purple Fox rootkit was first identified in 2018 and has undergone several updates over the years. The latest variants of the rootkit have worm capabilities and include a robust backdoor. A variety of methods have been used in the past for delivering the malware, including exploit kits, phishing emails, and malicious links. More recently, the attack vectors have been expanded to include exposed SMB services and compromising vulnerable Internet-facing services. Now the rootkit is being delivered disguised as an installer for the popular Telegram instant messaging service.
The researchers, working with MalwareHunterTeam, identified large numbers of malicious Telegram installers named Telegram Desktop.exe that were being used in the campaign. The installer is a compiled AutoIt script which, if executed, will drop a legitimate Telegram installer, which is not executed, and creates a folder named TextInputh and will deliver a malicious downloader named TextInputh.exe, which is used for the next stage of the attack.
TextInputh.exe creates a folder named 1640618495 in the C:\Users\Public\Videos\ directory, then a connection is made to the command-and-control server and two files are downloaded to the folder – an archive called 1.rar and a legitimate 7z archiver called 7zz.exe. The RAR file contains the files for the next stage of the attack, and the 7zz.exe archiver is used to unarchive the 1.rar file and reflectively load a malicious DLL file.
A registry key is then created for persistence and 5 files are then dropped in the ProgramData folder – calldriver.exe, driver.sys, dll.dll, kill.bat, and speedmem2.hg – that perform several functions, such as shutting down antivirus processes such as the Microsoft User Account Control (UAC) security control and blocking the initiation of 360 AV processes from the kernel space ahead of the Purple Fox rootkit being delivered.
“The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set,” explained the researchers. “This helps the attacker protect his files from AV detection.” What is not clear is how the installers are being delivered. It is likely a combination of phishing emails and malicious websites.