[ad_1]
A malicious Telegram for Desktop installer distributes the Purple Fox malware to put in additional malicious payloads on contaminated gadgets.
The installer is a compiled AutoIt script named “Telegram Desktop.exe” that drops two information, an precise Telegram installer, and a malicious downloader.
Whereas the official Telegram installer dropped alongside the downloader is not executed, the AutoIT program does run the downloader (TextInputh.exe).
Dropped information on contaminated machineSource: Minerva Labs
When TextInputh.exe is executed, it’ll create a brand new folder (“1640618495”) beneath “C:UsersPublicVideos” and hook up with the C2 to obtain a 7z utility and a RAR archive (1.rar).
The archive accommodates the payload and the configuration information, whereas the 7z program unpacks every part onto the ProgramData folder.
As detailed in an evaluation by Minerva Labs, TextInputh.exe performs the next actions onto the compromised machine:
Copies 360.tct with “360.dll” identify, rundll3222.exe, and svchost.txt to the ProgramData folder
Executes ojbk.exe with the “ojbk.exe -a” command line
Deletes 1.rar and 7zz.exe and exits the method
Purple Fox an infection flowSource: Minerva Labs
Subsequent, a registry secret’s created for persistence, a DLL (rundll3222.dll) disables UAC, the payload (scvhost.txt) is executed, and the next 5 extra information are dropped onto the contaminated system:
Calldriver.exe
Driver.sys
dll.dll
kill.bat
speedmem2.hg
The aim of those further information is to collectively block the initiation of 360 AV processes and forestall the detection of Purple Fox on the compromised machine.
The following step for the malware is to collect primary system data, verify if any safety instruments are working on it, and at last ship all that to a hardcoded C2 deal with.
As soon as this reconnaissance course of is accomplished, Purple Fox is downloaded from the C2 within the type of an .msi file that accommodates encrypted shellcode for each 32 and 64-bit methods.
Upon execution of Purple Fox, the contaminated machine shall be restarted for the brand new registry settings to take impact, most significantly, the disabled Person Account Management (UAC).
To realize this, the dll.dll file units the next three registry keys to 0:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem ConsentPromptBehaviorAdmin
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemPromptOnSecureDesktop
Dll disabling UAC on the goal systemSource: Minerva Labs
Disabling bypassing UAC is important as a result of it offers any program that runs on the contaminated system, together with viruses and malware, administrator privileges.
Typically, UAC prevents the unauthorized set up of apps or the altering of system settings, so it ought to keep energetic on Home windows always.
Disabling it permits Purple Fox to carry out malicious features equivalent to file search and exfiltration, course of killing, deletion of information, downloading and working code, and even worming to different Home windows methods.
Right now, it’s unknown how the malware is being distributed however related malware campaigns impersonating official software program had been distributed by way of YouTube movies, discussion board spam, and shady software program websites.
[ad_2]