Purple Fox Rootkit

Industry: N/A | Level: Tactical | Source: Minerva-Labs

Research from Minerva reports MalwareHunterTeam, identified a malicious Telegram installer compiled in AutoIt, named "Telegram Desktop.exe.” Resulting in infection with the Purple Fox rootkit. The telegram installer attempts to evade detection utilizing small files with the first batch dropped from the initial "Telegram Desktop.exe” executable then copies specific files to the ProgramData folder, launching an executable and deleting the recently downloaded files. Following registry modifications, additional malicious files are downloaded initiating actions to run a new driver service, bypass UAC and stop AV. The final stages of the attack exfiltrate any collected information for AV products to the C2 server and download the purple fox rootkit.

• Anvilogic Scenario: Malicious Telegram Installer
• Anvilogic Use Cases:
• Executable Create Script Process
• Driver as Command Parameter
• Suspicious Registry Key Created
• Suspicious DLLhost Execution