Purple Fox malware is distributed using a rogue Telegram for Desktop installer, which also installs other malicious payloads on victim PCs. The installer is a “Telegram Desktop.exe” developed AutoIt script that delivers two files: a Telegram installer and a malicious downloader. The AutoIT application does run the downloader (TextInputh.exe), even though the actual Telegram installation placed with it isn’t executed.
When TextInputh.exe is run, it will create a new folder under “C:\Users\Public\Videos\” called “1640618495” and then connect to the C2 to get a 7z utility and a RAR archive (1.rar). The payload and configuration files are contained in the archive, and the 7z application unpacks everything into the ProgramData folder.
According to Minerva Labs’ analysis, TextInputh.exe executes the following operations on the infected machine:
- Copies 360.tct with “360.dll” name, rundll3222.exe, and svchost.txt to the ProgramData folder
- Runs ojbk.exe with the “ojbk.exe -a” command line
- Deletes 1.rar and 7zz.exe and exits the process
Following that, a registry key is established for persistence, a DLL (rundll3222.dll) is used to disable UAC, the payload (scvhost.txt) is run, and the following five files are placed onto the infected system:
- Driver.sys
- Calldriver.exe
- kill.bat
- dll.dll
- speedmem2.hg
The objective of these additional files is to prevent Purple Fox from being detected on the infected PC by jointly blocking the activation of 360 AV processes. The malware’s next step is to collect basic system information, check whether any security programs are installed, and then send everything to a hardcoded C2 address.
After the reconnaissance process, Purple Fox is downloaded from the C2 as a .msi file that includes encrypted shellcode for 32-bit and 64-bit computers. Upon execution, Purple Fox will restart the infected PC for the altered registry settings to take effect, including the deactivated User Account Control (UAC).
The dll.dll file does this by setting the following three registry entries to 0:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
Bypassing UAC is critical since it grants administrator access to any software that runs on the infected machine, including viruses and malware. Usually, UAC prevents illegal software installations and changes to system settings in general. Hence, it should always be enabled on Windows.
If it is disabled, Purple Fox may execute harmful operations, including file search and exfiltration, process killing, data deletion, downloading and running malware, and even worming other Windows systems. The malware’s distribution method is unknown at this time. Still, previous malware campaigns posing as legal software have been spread via YouTube videos, forum spam, and dodgy software sites in past.