The Purple Fox malware’s creators have upgraded their malware arsenal with a new edition of a remote access trojan named FatalRAT, as well as its evasion strategies to bypass security software.
“Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers,” said the Trend Micro researchers in a recently-published report. “The installers are actively distributed online to trick users and increase the overall botnet infrastructure.”
The findings are based on previous Minerva Labs research that revealed a similar method of distributing the backdoor via phony Telegram apps. Adobe Flash Player, Google Chrome, and WhatsApp are among other camouflaged software installers. These packages work as a first-stage loader, initiating an infection process that results in the deployment of a second-stage payload from a remote server and the execution of a binary with FatalRAT-like features.
FatalRAT is a C++-based backdoor meant to conduct commands and exfiltrate sensitive data to a remote server, with the malware writers gradually adding additional features to the backdoor. According to the researchers, the RAT is in charge of loading and running the auxiliary modules depending on checks done on the victim systems. If specified [antivirus] agents are operating or registry keys are identified, changes may occur. The auxiliary modules are designed to help the group achieve its unique goals.
Purple Fox, which includes a rootkit module, also has support for five distinct actions, including copying and removing files from the kernel and avoiding antivirus engines by intercepting file system calls. The discoveries come on the heels of recent revelations by cybersecurity company Avast, which highlighted a new campaign in which the Purple Fox exploitation framework was used as a distribution conduit for another botnet known as DirtyMoe.