Malicious Telegram Installer Drops Purple Fox Rootkit

This AutoIt script is the first stage of the attack which creates a new folder named “TextInputh” under C:UsersUsernameAppDataLocalTemp and drops a legitimate Telegram installer (which is not even executed) and a malicious downloader (TextInputh.exe). When executed, TextInputh.exe creates a new folder named “1640618495” under the C:UsersPublicVideos directory. TextInputh.exe file is used as a downloader for the next stage of the attack. It contacts a C&C server and downloads two files to the newly created folder: 1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver. 2.The 7zz.exe is used to unarchive 1.rar, which contains the following files. Next, TextInputh.exe performs the following actions: Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder Executes ojbk.exe with the “ojbk.exe -a” command line Deletes 1.rar and 7zz.exe and exits the process ojbk.exe When executed with the “-a” argument, this file is only used to reflectively load the malicious 360.dll file. This DLL is responsible for reading the dropped svchost.txt file. After which, a new HKEY_LOCAL_MACHINESYSTEMSelectMarkTime registry key is created, whose value equals the current time of svchost.exe and then, the svchost.txt payload is executed. As the attack flow continues, this file appears to contain the byte code of the next stage of the malicious payload executed by the 360.dll. As the first action of svchost.txt, it checks for the existence of the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key. If the registry key is found, the attack flow will perform an additional step before moving on to the next stage: The attack drops five more files into the ProgramData folder: -Calldriver.exe – this file is used to shut down and block initiation of 360 AV -Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder. -dll.dll – executed after UAC bypass. The UAC bypass technique used by svchost.txt is a “UAC bypass using CMSTPLUA COM interface” and is well described here. This technique is commonly used by the LockBit and BlackMatter ransomware authors. The dll.dll is executed with the “C:ProgramDatadll.dll, luohua” command line. -kill.bat – a batch script which is executed after the file drop ends. -speedmem2.hg – SQLite file All these files work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox Rootkit, in our case) to run without being detected. After the file drop and execution, the payload moves to the next step, which is the C&C communication. As mentioned above, if the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key is not found, the flow just skips to this step. First, the hardcoded C&C address is added as a mutex. Next, the following victim’s information is gathered: Hostname CPU – by retrieving a value of HKLMHARDWAREDESCRIPTIONSystemCentralProcessor ~MHz registry key Memory status Drive Type Processor Type – by calling GetNativeSystemInfo and checking the value of wProcessorArchitecture. Next, the malware checks if any of the following processes are running on the victim’s PC: 360tray.exe – 360 Total Security 360sd.exe – 360 Total Security kxetray.exe – Kingsoft Internet Security KSafeTray.exe – Kingsoft Internet Security QQPCRTP.exe – Tencent HipsTray.exe – HeroBravo System Diagnostics BaiduSd.exe – Baidu Anti-Virus baiduSafeTray.exe – Baidu Anti-Virus KvMonXP.exe – Jiangmin Anti-Virus RavMonD.exe – Rising Anti-Virus QUHLPSVC.EXE – Quick Heal Anti-Virus mssecess.exe – Microsoft MSE cfp.exe – COMODO Internet Security SPIDer.exe acs.exe V3Svc.exe – AhnLab V3 Internet Security AYAgent.aye – ALYac Software avgwdsvc.exe – AVG Internet Security f-secure.exe – F‑Secure Anti‑Virus avp.exe – Kaspersky Anti-Virus Mcshield.exe – McAfee Anti-Virus egui.exe – ESET Smart Security knsdtray.exe TMBMSRV.exe – Trend Micro Internet Security avcenter.exe – Avira Anti-Virus ashDisp.exe – Avast Anti-Virus rtvscan.exe – Symantec Anti-Virus remupd.exe – Panda software vsserv.exe – Bitdefender Total Security PSafeSysTray.exe – PSafe System Tray ad-watch.exe K7TSecurity.exe – K7Security Suite UnThreat.exe – UnThreat Anti-Virus It seems that after this check is complete, all the collected information, including which security products are running, is sent to the C&C server. The last stage of this attack is the download and execution of the Purple Fox Rootkit. Purple Fox uses the msi.dll function, ‘MsiInstallProductA’, to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. Once executed, the system will be restarted with the ‘PendingFileRenameOperations’ registry to rename its components. In our case the Purple Fox Rootkit is downloaded from hxxp://144.48.243[.]79:17674/C558B828.Png. Calldriver.exe Used to shut down and block initiation of 360 AV processes from the kernel space.