Beware: A fake Telegram installer is distributing harmful Purple Fox malware on computers

A new way to hack computer systems has been found. According to a report published by an anti-malware platform called Minerva Labs, fake Telegram messenger applications are being circulated on the internet to distribute the Purple Fox malware. When downloaded, the malware escapes the anti-virus system installed on a computer and can execute a transfer of information without the consent or knowledge of the user. 

As mentioned in the report by Minerva Labs "We have often observed threat actors using legitimate software for dropping malicious files. This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection." The malicious Telegram installer is a compiled AutoIt script and is floating on the internet with the name "Telegram Desktop.exe" and hence, users are advised to beware. 

How does the Purple Fox malware deployment take place?

In other words, it is a form of cyberattack that is disintegrated and executed by several files when they are together. Using this technique, the attacker or the bad actor behind the attack is evading such files from anti-virus software. When all the files required to execute the attack propagate to a single computer system, it is then that the Purple Fox rootkit infection begins. At the first stage of this attack, the code in the malicious file will create a new folder on the infected device called "TextInputh" at the location "C:\Users\Username\AppData\Local\Temp\" which contains two executable files.

It is this folder that is then used for the next stage of the attack by creating another folder with the name "164061849" at the location "C:\Users\Public\Videos\" and downloads other files required for the attack. After a couple of steps, the files that are created on a computer system block the initiation of 360 AV processes from the kernel space in the computer and allow the deployment of the Purple Fox Rootkit. 

The Purple Fox malware was first discovered four years ago. The unique thing about the Purple Fox malware is that it is not detected by anti-virus software. It is this rootkit-type of behaviours of Purple Fox that enabled its stealthy nature on devices. By remaining under the radar of anti-virus solutions, Purple Fox can not only steal information from a system, but it can also deploy other programs created by the hacker or bad actor.