Purple Fox Rootkit Now Spreads Through Fake Telegram Installer

Security experts at Minerva Labs are warning about malicious installers for the popular messaging app Telegram. According to their findings, a trojanized version of the Telegram installer is being used to infect Windows systems with the Purple Fox backdoor.

Purple Fox first caught researchers’ attention in 2018 due to its rootkit capabilities, which allow it to evade detection by antivirus software. In March 2021, it was reported that the operators of Purple Fox had added worm-like features to the malware, enabling it to spread freely across the Microsoft Windows ecosystem. Using this malware, attackers create a botnet that mines cryptocurrency for them.

Details of the Latest Purple Fox Campaign

Minerva Labs specialists described the new campaign in their blog, stating:

“Cybercriminals managed to hide their attacks from prying eyes by splitting the malicious payload into several small files, most of which are barely detected by antivirus engines. The final stage of these attacks results in the installation of the Purple Fox rootkit on the victim’s system.”

The rootkit’s capabilities help the malware operate more stealthily. For example, Purple Fox can remain in the victim’s operating system for a longer period, during which it can install additional malicious software.

How the Attack Works

In this campaign, attackers use Telegram installer files as bait. They employ an AutoIt script that downloads both the legitimate Telegram installer and a malicious executable file named TextInputh.exe.

Before the final stage of the attack, Purple Fox blocks processes of well-known antivirus programs to avoid detection.

Stay Protected

• Always download software from official sources.
• Keep your antivirus software up to date.
• Be cautious of unexpected installers or files, even if they appear to be from trusted applications.