Security News > 2022 > January > Purple Fox Rootkit Dropped by Malicious Telegram Installers
A malicious Telegram instant-messaging app installer scurries past a slew of antivirus engines to deliver Purple Fox malware, evading detection by separating the attack into bite-sized morsels that fly under the radar.
"We have often observed threat actors using legitimate software for dropping malicious files," analysts wrote.
"This time however is different. This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection."
The malicious installer, bearing the familiar Telegram icon of a white paper plane, is actually a compiled AutoIt script called "Telegram Desktop.exe." The installer creates a new folder named "TextInputh" under C:UsersUsernameAppDataLocalTemp.
It drops two files into the folder: an actual Telegram installer, and a malicious downloader, TextInputh.
"The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set," according to the report.
News URL
https://threatpost.com/purple-fox-rootkit-telegram-installers/177330/