Purple Fox Develops Complex Attack Chain for Persistence
-
techietraveller84
- Expatriate
- Posts: 567
- Joined: Wed Jan 08, 2020 10:04 pm
- Reputation: 167
Purple Fox Develops Complex Attack Chain for Persistence
https://cyware.com/news/purple-fox-deve ... e-1791b82e
Purple Fox malware is being spread using a malicious Telegram application for Desktop users. The malware is a rootkit used to install additional malicious payloads on compromised devices.
What has happened?
According to researchers, the attackers compiled the installer with the AutoIt script Telegram Desktop[.]exe.
The script drops two files including an actual Telegram installer and a malicious downloader. The genuine installer of Telegram dropped along with the downloader isn't executed.
The researchers discovered that a large number of malicious installers deliver the same Purple Fox version using the same attack chain.
Some were believed to be spreading using email, while others were probably downloaded from phishing websites.
A complex chain of actions
When the AutoIT program runs the downloader (TextInputh[.]exe), it creates a new folder (1640618495) at the location at C:\Users\Public\Videos\ and then connects to a C2 for downloading RAR archive (1[.]rar) and 7z utility.
The archive includes the payload and configuration files.
The 7z program unloads everything at the ProgramData folder and, further, performs a chain of actions, creating and deleting several files.
Attaining persistence
For persistence, it performs several additional tasks. A registry key is created, a DLL (rundll3222[.]dll) disables the UAC, a payload (scvhost[.]txt) is executed, and five additional files are dropped.
The additional five files, identified as Calldriver[.]exe, Driver[.]sys, dll[.]dll, kill[.]bat, and speedmem2[.]hg, block antivirus processes and stop the detection of Purple Fox on the infected machine.
Subsequently, the malware gathers basic system information, checks running security tools, and sends all stolen information to a hardcoded C2 address.
Post-reconnaissance, Purple Fox is downloaded from the C2 in the form of a .msi file that includes encrypted shellcode for both 64 and 32-bit systems.
While the malware runs, the compromised machine is restarted for the newly added registry settings to take effect, which includes the disabled User Account Control (UAC).
Conclusion
The attackers behind Purple Fox are using legitimate software to drop malicious files via a sophisticated chain of attacks. By splitting the entire operation into smaller phases and creating a dependency on different files for each phase allow this attack to stay undetected from security radars.
Purple Fox malware is being spread using a malicious Telegram application for Desktop users. The malware is a rootkit used to install additional malicious payloads on compromised devices.
What has happened?
According to researchers, the attackers compiled the installer with the AutoIt script Telegram Desktop[.]exe.
The script drops two files including an actual Telegram installer and a malicious downloader. The genuine installer of Telegram dropped along with the downloader isn't executed.
The researchers discovered that a large number of malicious installers deliver the same Purple Fox version using the same attack chain.
Some were believed to be spreading using email, while others were probably downloaded from phishing websites.
A complex chain of actions
When the AutoIT program runs the downloader (TextInputh[.]exe), it creates a new folder (1640618495) at the location at C:\Users\Public\Videos\ and then connects to a C2 for downloading RAR archive (1[.]rar) and 7z utility.
The archive includes the payload and configuration files.
The 7z program unloads everything at the ProgramData folder and, further, performs a chain of actions, creating and deleting several files.
Attaining persistence
For persistence, it performs several additional tasks. A registry key is created, a DLL (rundll3222[.]dll) disables the UAC, a payload (scvhost[.]txt) is executed, and five additional files are dropped.
The additional five files, identified as Calldriver[.]exe, Driver[.]sys, dll[.]dll, kill[.]bat, and speedmem2[.]hg, block antivirus processes and stop the detection of Purple Fox on the infected machine.
Subsequently, the malware gathers basic system information, checks running security tools, and sends all stolen information to a hardcoded C2 address.
Post-reconnaissance, Purple Fox is downloaded from the C2 in the form of a .msi file that includes encrypted shellcode for both 64 and 32-bit systems.
While the malware runs, the compromised machine is restarted for the newly added registry settings to take effect, which includes the disabled User Account Control (UAC).
Conclusion
The attackers behind Purple Fox are using legitimate software to drop malicious files via a sophisticated chain of attacks. By splitting the entire operation into smaller phases and creating a dependency on different files for each phase allow this attack to stay undetected from security radars.
Re: Purple Fox Develops Complex Attack Chain for Persistence
I wonder if any of these hackers have had relationships outside their own family?
People of the world, spice up your life.
-
- Similar Topics
- Replies
- Views
- Last post
-
- 0 Replies
- 1557 Views
-
Last post by CEOCambodiaNews
-
- 5 Replies
- 1842 Views
-
Last post by SternAAlbifrons
-
- 10 Replies
- 3308 Views
-
Last post by pissontheroof
-
- 4 Replies
- 1932 Views
-
Last post by andy1
-
- 23 Replies
- 8435 Views
-
Last post by Shazza
-
- 12 Replies
- 1402 Views
-
Last post by John Bingham
-
- 0 Replies
- 5513 Views
-
Last post by CEOCambodiaNews
Who is online
Users browsing this forum: No registered users and 333 guests