Malicious Telegram Installer Drops Purple Fox Rootkit

This AutoIt script is the first stage of the attack which creates a new folder named “TextInputh” under C:UsersUsernameAppDataLocalTemp and drops a legitimate Telegram installer (which is not even executed) and a malicious downloader (TextInputh.exe).
When executed, TextInputh.exe creates a new folder named “1640618495” under the C:UsersPublicVideos directory. TextInputh.exe file is used as a downloader for the next stage of the attack. It contacts a C&C server and downloads two files to the newly created folder:

1.rar – which contains the files for the next stage. 7zz.exe – a legitimate 7z archiver.
2.The 7zz.exe is used to unarchive 1.rar, which contains the following files.

Next, TextInputh.exe performs the following actions:

Copies 360.tct with “360.dll” name, rundll3222.exe and svchost.txt to the ProgramData folder
Executes ojbk.exe with the “ojbk.exe -a” command line
Deletes 1.rar and 7zz.exe and exits the process

When executed with the “-a” argument, this file is only used to reflectively load the malicious 360.dll file.

This DLL is responsible for reading the dropped svchost.txt file. After which, a new HKEY_LOCAL_MACHINESYSTEMSelectMarkTime registry key is created, whose value equals the current time of svchost.exe and then, the svchost.txt payload is executed.

As the attack flow continues, this file appears to contain the byte code of the next stage of the malicious payload executed by the 360.dll. As the first action of svchost.txt, it checks for the existence of the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key. If the registry key is found, the attack flow will perform an additional step before moving on to the next stage:

The attack drops five more files into the ProgramData folder:

-Calldriver.exe – this file is used to shut down and block initiation of 360 AV
-Driver.sys – after this file is dropped, a new system driver service named “Driver” is created and started on the infected PC and bmd.txt is created in the ProgramData folder.
-dll.dll – executed after UAC bypass. The UAC bypass technique used by svchost.txt is a “UAC bypass using CMSTPLUA COM interface” and is well described here. This technique is commonly used by the LockBit and BlackMatter ransomware authors. The dll.dll is executed with the “C:ProgramDatadll.dll, luohua” command line.
-kill.bat – a batch script which is executed after the file drop ends.
-speedmem2.hg – SQLite file

All these files work together to shut down and block the initiation of 360 AV processes from the kernel space, thus allowing the next stage attack tools (Purple Fox Rootkit, in our case) to run without being detected.

After the file drop and execution, the payload moves to the next step, which is the C&C communication. As mentioned above, if the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths360safe.exePath registry key is not found, the flow just skips to this step.

First, the hardcoded C&C address is added as a mutex. Next, the following victim’s information is gathered:

CPU – by retrieving a value of HKLMHARDWAREDESCRIPTIONSystemCentralProcessor ~MHz registry key
Memory status
Drive Type
Processor Type – by calling GetNativeSystemInfo and checking the value of wProcessorArchitecture.

Next, the malware checks if any of the following processes are running on the victim’s PC:

360tray.exe – 360 Total Security
360sd.exe – 360 Total Security
kxetray.exe – Kingsoft Internet Security
KSafeTray.exe – Kingsoft Internet Security
QQPCRTP.exe – Tencent
HipsTray.exe – HeroBravo System Diagnostics
BaiduSd.exe – Baidu Anti-Virus
baiduSafeTray.exe – Baidu Anti-Virus
KvMonXP.exe – Jiangmin Anti-Virus
RavMonD.exe – Rising Anti-Virus
QUHLPSVC.EXE – Quick Heal Anti-Virus
mssecess.exe – Microsoft MSE
cfp.exe – COMODO Internet Security
V3Svc.exe – AhnLab V3 Internet Security
AYAgent.aye – ALYac Software
avgwdsvc.exe – AVG Internet Security
f-secure.exe – F‑Secure Anti‑Virus
avp.exe – Kaspersky Anti-Virus
Mcshield.exe – McAfee Anti-Virus
egui.exe – ESET Smart Security
TMBMSRV.exe – Trend Micro Internet Security
avcenter.exe – Avira Anti-Virus
ashDisp.exe – Avast Anti-Virus
rtvscan.exe – Symantec Anti-Virus
remupd.exe – Panda software
vsserv.exe – Bitdefender Total Security
PSafeSysTray.exe – PSafe System Tray
K7TSecurity.exe – K7Security Suite
UnThreat.exe – UnThreat Anti-Virus
It seems that after this check is complete, all the collected information, including which security products are running, is sent to the C&C server.

The last stage of this attack is the download and execution of the Purple Fox Rootkit. Purple Fox uses the msi.dll function, ‘MsiInstallProductA’, to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. Once executed, the system will be restarted with the ‘PendingFileRenameOperations’ registry to rename its components. In our case the Purple Fox Rootkit is downloaded from hxxp://144.48.243[.]79:17674/C558B828.Png.

Used to shut down and block initiation of 360 AV processes from the kernel space.

Sign Up For Threat Alerts

Threats Icon

Jan 18, 2022

Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple...

Threats Icon

Jan 17, 2022

Iranian MOIS hacker group MuddyWater

Iranian MOIS hacker group MuddyWater is using a suite of malware to conduct espionage and...

Threats Icon

Jan 16, 2022

Abcbot – An Evolution of Xanthe

Abcbot, the emerging botnet that was recently analyzed and reported on, has a longer history...

Threats Icon

Jan 13, 2022

Night Sky is the latest ransomware targeting...

According to MalwareHunterTeam, who first spotted the new ransomware, the Night Sky operation has two...

Threats Icon

Jan 12, 2022

New SysJoker Backdoor Targets Windows, Linux, and...

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion...

Threats Icon

Jan 10, 2022

New Konni Campaign Targeting Russian Ministry Of...

Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted...

Threats Icon

Jan 09, 2022

Elephant Beetle

Sygnia's Incident Response (IR) team has been tracking a financially motivated threat group targeting and...

Threats Icon

Jan 06, 2022

A Simple Batch File That Blocks Computer...

The script uses the BlockInput() API call through a PowerShell one-liner, which blocks interaction with...

Threats Icon

Jan 05, 2022

New Zloader Banking Malware Campaign Exploiting Microsoft...

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old...

Threats Icon

Jan 04, 2022

The dirty dozen of Latin America: From...

Latin American banking trojans are an ongoing, evolving threat They target mainly Brazil, Spain, and...

Threats Icon

Jan 02, 2022

Flagpro: The new malware used by BlackTech

BlackTech has been actively attacking, some attack cases against Japanese companies were observed. BlackTech uses...

Threats Icon

Dec 29, 2021

Dridex Distributed with “Merry Christmas!” Excel File

Dridex is a banking malware that collects a user's banking credentials and performs malicious behaviors...

Threats Icon

Dec 28, 2021

New Rook Ransomware Feeds Off the Code...

Rook claimed its first victim: a Kazkh financial institution from which the Rook operators had...

Threats Icon

Dec 27, 2021

Malicious Notepad++ installers push StrongPity malware

The sophisticated hacking group known as StrongPity is circulating laced Notepad++ installers that infect targets...

Threats Icon

Dec 26, 2021

“Spider-Man: No Way Home” Download Installs Cryptominer

The origin of the Monero cryptominer file has been traced to a Russian torrent website,...