Malicious Telegram Installers Used to Spread Purple Fox Rootkit

Installers for the cloud-based instant messaging app Telegram have been compromised to distribute the Purple Fox malware to install additional malicious payloads on impacted systems.

What Is Purple Fox?

Purple Fox, a Windows-based backdoor, first appeared in 2018 as a fileless downloader trojan distributed through an exploit kit that compromised more than 30,000 machines.

Because of its rootkit features, this malware is able to evade being detected and remain invisible to most anti-virus solutions. According to cybersecurity experts, the backdoor’s worm-like propagation capability allows it to spread more rapidly.

Back to Our Malicious Telegram Installers – How Does the Attack Work?

As per Minerva Labs’ new analysis, the attack chain starts with a Telegram installer file and ends with a malicious downloader known as “TextInputh.exe.” Using an AutoIt script called “Telegram Desktop.exe,” the malicious downloader installs additional malware from the C2 server.

When TextInputh.exe is executed, it will create a new folder (“1640618495”) under “C:UsersPublicVideos” and connect to the C2 to download a 7z utility and a RAR archive (1.rar).

The archive contains the payload and the configuration files, while the 7z program unpacks everything onto the ProgramData folder.


According to the report recently issued by Minerva Labs, TextInputh.exe

Read More: