“This threat actor was able to keep most of the attack under the radar by breaking the attack down into several small files, most of which had very low detection rates by the [antivirus] engines, the last step leading Purple Fox rootkit infection, said researcher Natalie Zargarov.
First discovered in 2018, Purple Fox comes with rootkit capabilities that allow the malware to be planted beyond the reach of security solutions and evade detection. A March 2021 report from Guardicore detailed its worm-like propagation feature, enabling the backdoor to spread more rapidly.
Then, in October 2021, Trend Micro researchers discovered a .NET implant dubbed FoxSocket distributed in partnership with Purple Fox that uses WebSockets to contact its command and control (C2) servers for a more secure way to establish communications.
“The capabilities of the Purple Fox rootkit make it more capable of achieving its goals in a more stealthy manner,” the researchers noted. “They allow Purple Fox to persist on affected systems and deliver additional payloads to affected systems.
Last but not least, in December 2021, Trend Micro also shed light on the later stages of the Purple Fox infection chain, targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to achieve a persistent and stealthier execution and ultimately abuse the SQL servers for illicit cryptocurrency mining.
The new chain of attacks observed by Minerva begins with a Telegram installer file, an AutoIt script that publishes a legitimate installer for the chat app, and a malicious downloader called “TextInputh.exe”, the latter being executed to retrieve the next malware from the C2 server.
Then the downloaded files block the processes associated with the different antivirus engines, before moving on to the final step of downloading and running the Purple Fox rootkit from a remote server which is now down. installers providing the same version of the Purple Fox rootkit using the same attack chain, ”Zargarov said.
“ Some appear to have been delivered by email, while others, we assume, were downloaded from websites phishing. The beauty of this attack is that each step is separate for a different file, which is unnecessary without all of the files.
Source: The Hacker News