Purple Fox Develops Complex Attack Chain for Persistence

Phones, Internet, Computers and such.
techietraveller84
Expatriate
Posts: 346
Joined: Wed Jan 08, 2020 10:04 pm
Reputation: 111
United States of America

Purple Fox Develops Complex Attack Chain for Persistence

Post by techietraveller84 »

https://cyware.com/news/purple-fox-deve ... e-1791b82e

Purple Fox malware is being spread using a malicious Telegram application for Desktop users. The malware is a rootkit used to install additional malicious payloads on compromised devices.

What has happened?
According to researchers, the attackers compiled the installer with the AutoIt script Telegram Desktop[.]exe.

The script drops two files including an actual Telegram installer and a malicious downloader. The genuine installer of Telegram dropped along with the downloader isn't executed.
The researchers discovered that a large number of malicious installers deliver the same Purple Fox version using the same attack chain.
Some were believed to be spreading using email, while others were probably downloaded from phishing websites.

A complex chain of actions

When the AutoIT program runs the downloader (TextInputh[.]exe), it creates a new folder (1640618495) at the location at C:\Users\Public\Videos\ and then connects to a C2 for downloading RAR archive (1[.]rar) and 7z utility.
The archive includes the payload and configuration files.
The 7z program unloads everything at the ProgramData folder and, further, performs a chain of actions, creating and deleting several files.

Attaining persistence
For persistence, it performs several additional tasks. A registry key is created, a DLL (rundll3222[.]dll) disables the UAC, a payload (scvhost[.]txt) is executed, and five additional files are dropped.

The additional five files, identified as Calldriver[.]exe, Driver[.]sys, dll[.]dll, kill[.]bat, and speedmem2[.]hg, block antivirus processes and stop the detection of Purple Fox on the infected machine.
Subsequently, the malware gathers basic system information, checks running security tools, and sends all stolen information to a hardcoded C2 address.
Post-reconnaissance, Purple Fox is downloaded from the C2 in the form of a .msi file that includes encrypted shellcode for both 64 and 32-bit systems.
While the malware runs, the compromised machine is restarted for the newly added registry settings to take effect, which includes the disabled User Account Control (UAC).

Conclusion
The attackers behind Purple Fox are using legitimate software to drop malicious files via a sophisticated chain of attacks. By splitting the entire operation into smaller phases and creating a dependency on different files for each phase allow this attack to stay undetected from security radars.
mannanman
Expatriate
Posts: 643
Joined: Sun Jun 13, 2021 4:52 pm
Reputation: 234
Austria

Re: Purple Fox Develops Complex Attack Chain for Persistence

Post by mannanman »

I wonder if any of these hackers have had relationships outside their own family?
Snowflakes everywhere.
Post Reply Previous topicNext topic
  • Similar Topics
    Replies
    Views
    Last post

Who is online

Users browsing this forum: lurcio and 90 guests