Security News > 2022 > March > 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software.
"Users' machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report published on March 25, 2022.
These packages act as a first-stage loader, triggering an infection sequence that leads to the deployment of a second-stage payload from a remote server and culminating in the execution of a binary that inherits its features from FatalRAT. FatalRAT is a C++-based implant designed to run commands and exfiltrate sensitive information back to a remote server, with the malware authors incrementally updating the backdoor with new functionality.
Purple Fox, which comes with a rootkit module, comes with support for five different commands, including copying and deleting files from the kernel as well as evading antivirus engines by intercepting calls sent to the file system.
The findings also follow recent disclosures from cybersecurity firm Avast, which detailed a new campaign that involved the Purple Fox exploitation framework acting as a deployment channel for another botnet called DirtyMoe.
"Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while also upgrading the malware variants they have," the researchers said.
News URL
https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html
Related news
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Hackers target FCC, crypto firms in advanced Okta phishing attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Hackers impersonate U.S. government agencies in BEC attacks (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)