Purple Fox rootkit discovered in malicious Telegram installers
The Minerva Labs cybersecurity team released a report earlier this week regarding the Purple Fox rootkit and its distribution via fake Telegram installers online. Working with MalwareHunterTeam, the cybersecurity forces stated that Purple Fox is being disguised through a file named Telegram Desktop.exe. The infection process has made the malware more difficult to detect, and unassuming victims are installing the malware-ridden version of the popular messaging service. Purple Fox was first discovered in 2018 and has been spread through a variety of ways including phishing emails, malicious links, and exploit kits.
Over the past few years, Purple Fox’s distribution methods have expanded to include compromising vulnerable internet-facing services and fake installers, such as the campaign detailed by Minerva Labs and MalwareHunterTeam. The malicious Telegram installed has been developed as a compiled Autolt script, according to researchers. During the attack, several small files are created that have allowed the threat actor to remain undetected. A registry key is also created to enable persistence on an infected machine.