Malicious Telegram Installer Drops Purple Fox Rootkit

This AutoIt script is the first stage of the attack which creates a new folder named “TextInputh” under C:UsersUsernameAppDataLocalTemp and drops a legitimate Telegram installer (which is not even executed) and a malicious downloader (TextInputh.exe).
When executed, TextInputh.exe creates a new folder named “1640618495” under the C:UsersPublicVideos directory. TextInputh.exe file is used as a downloader for the next stage of the attack. It contacts a C&C server and downloads two files to the newly created folder:

1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver.
2.The 7zz.exe is used to unarchive 1.rar, which contains the following files.

Next, TextInputh.exe performs the following actions:

Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder
Executes ojbk.exe with the “ojbk.exe -a” command line
Deletes 1.rar and 7zz.exe and exits the process
ojbk.exe

When executed with the “-a” argument, this file is only used to reflectively load the malicious 360.dll file.

This DLL is responsible for reading the dropped svchost.txt file. After which, a new HKEY_LOCAL_MACHINESYSTEMSelectMarkTime registry key is created, whose value equals the current time of svchost.exe and then, the svchost.txt payload is executed.

As the attack flow continues, this file appears to contain the byte code of the next stage of the malicious payload executed by the 360.dll. As the first action of svchost.txt, it checks for the existence of the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key. If the registry key is found, the attack flow will perform an additional step before moving on to the next stage:

The attack drops five more files into the ProgramData folder:

-Calldriver.exe – this file is used to shut down and block initiation of 360 AV
-Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder.
-dll.dll – executed after UAC bypass. The UAC bypass technique used by svchost.txt is a “UAC bypass using CMSTPLUA COM interface” and is well described here. This technique is commonly used by the LockBit and BlackMatter ransomware authors. The dll.dll is executed with the “C:ProgramDatadll.dll, luohua” command line.
-kill.bat – a batch script which is executed after the file drop ends.
-speedmem2.hg – SQLite file

All these files work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox Rootkit, in our case) to run without being detected.

After the file drop and execution, the payload moves to the next step, which is the C&C communication. As mentioned above, if the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key is not found, the flow just skips to this step.

First, the hardcoded C&C address is added as a mutex. Next, the following victim’s information is gathered:

Hostname
CPU – by retrieving a value of HKLMHARDWAREDESCRIPTIONSystemCentralProcessor ~MHz registry key
Memory status
Drive Type
Processor Type – by calling GetNativeSystemInfo and checking the value of wProcessorArchitecture.

Next, the malware checks if any of the following processes are running on the victim’s PC:

360tray.exe – 360 Total Security
360sd.exe – 360 Total Security
kxetray.exe – Kingsoft Internet Security
KSafeTray.exe – Kingsoft Internet Security
QQPCRTP.exe – Tencent
HipsTray.exe – HeroBravo System Diagnostics
BaiduSd.exe – Baidu Anti-Virus
baiduSafeTray.exe – Baidu Anti-Virus
KvMonXP.exe – Jiangmin Anti-Virus
RavMonD.exe – Rising Anti-Virus
QUHLPSVC.EXE – Quick Heal Anti-Virus
mssecess.exe – Microsoft MSE
cfp.exe – COMODO Internet Security
SPIDer.exe
acs.exe
V3Svc.exe – AhnLab V3 Internet Security
AYAgent.aye – ALYac Software
avgwdsvc.exe – AVG Internet Security
f-secure.exe – F‑Secure Anti‑Virus
avp.exe – Kaspersky Anti-Virus
Mcshield.exe – McAfee Anti-Virus
egui.exe – ESET Smart Security
knsdtray.exe
TMBMSRV.exe – Trend Micro Internet Security
avcenter.exe – Avira Anti-Virus
ashDisp.exe – Avast Anti-Virus
rtvscan.exe – Symantec Anti-Virus
remupd.exe – Panda software
vsserv.exe – Bitdefender Total Security
PSafeSysTray.exe – PSafe System Tray
ad-watch.exe
K7TSecurity.exe – K7Security Suite
UnThreat.exe – UnThreat Anti-Virus
It seems that after this check is complete, all the collected information, including which security products are running, is sent to the C&C server.

The last stage of this attack is the download and execution of the Purple Fox Rootkit. Purple Fox uses the msi.dll function, ‘MsiInstallProductA’, to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. Once executed, the system will be restarted with the ‘PendingFileRenameOperations’ registry to rename its components. In our case the Purple Fox Rootkit is downloaded from hxxp://144.48.243[.]79:17674/C558B828.Png.
Calldriver.exe

Used to shut down and block initiation of 360 AV processes from the kernel space.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...