Security Intelligence -
Attackers Used Malicious Telegram Installer to Distribute Purple Fox Rootkit
Threat actors leveraged a malicious Telegram installer to infect users with the Purple Fox rootkit.
A Case Study in Evasion
The script created a new folder and dropped both a legitimate Telegram installer and a malicious downloader into it. The former didn’t factor into the attack chain. The same can’t be said about the latter, however.
Upon execution, the malicious downloader contacted a command and control (C&C) server and downloaded two files into a newly created folder. One of those resources, ‘7zz.exe,’ contained another file called ‘ojbke.exe’ that, when run with the ‘-a’ argument, reflectively loaded a DLL file.
This item led the attack flow to use some more files for the purpose of shutting down antivirus processes. It was then that the campaign took advantage of its C&C server to gather the hostname, CPU and other information from a victim.
It also checked to see if various antivirus solutions were running on the