Rewterz Threat Alert – Purple Fox Rootkit Distributed Using Malicious Telegram Installer – Active IOCs

Severity

Medium

Analysis Summary

This sophisticated attack delivers the Purple Fox Rootkit by dividing the attack process into multiple separate stages that are useless unless the entire file set is present. 

1. A malicious script “Telegram Desktop.exe” is an Autolt script which runs to create a new folder “TextInputh” that drops a malicious downloader with the same name.
2. Then TextInputh.exe creates a new folder 1640618495 the video directory that contacts the C&C server to download two files:
   • 1.rar
   • 7zz.exe
3. TextInputh.exe executes the ojbk.exe that runs with the “-a” argument to load the malicious 360.dll file.
4. Next the svchost.txt runs to drop five more files:
   • Calldriver.exe
   • Driver.sys
   • dll.dll
   • kill.bat
   • speedmem2.hg
5. These files work together to shut down and block 360 AV processes from the kernel space. This later installs the Purple Fox Rootkit.

Following information is gathered by the malware and sent to the C&C:

1. Hostname
2. CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
3. Memory status
4. Drive Type
5. Processor Type

The Purple Fox payloads are downloaded and executed next. 

Purple Fox Rootkit File Creation Flow from Minerva Labs

Impact

• Gain Access
• Exposure of Sensitive Data

Indicators of Compromise

IP

• 193[.]164[.]223[.]77
• 144[.]48[.]243[.]79

MD5

• ed1b74827b64fc8913af19b1b745ad1a
• c398b504f74500d6a1a47f72bb45bc83
• b947575d0cd7e171bdd38b89b38084da
• 7c728bdeba5659be53cf9ef243b1902e
• 96187e12ed4a6f4306516b48634c0926
• 50d39beb37c8bec70015a8fd1414b867
• 963a8b3d307992b6e623ff39e34e6a4c
• 7c074b14a54f7b3846e51cfca778f66f

SHA-256

• 41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1
• bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0
• 797a8063ff952a6445c7a32b72bd7cd6837a3a942bbef01fc81ff955e32e7d0c
• 26487eff7cb8858d1b76308e76dfe4f5d250724bbc7e18e69a524375cee11fe4
• b5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3e
• e2c463ac2d147e52b5a53c9c4dea35060783c85260eaac98d0aaeed2d5f5c838
• 638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60
• 4bdfa7aa1142deba5c6be1d71c3bc91da10c24e4a50296ee87bf2b96c731b7fa

SHA-1

• 4628df1e4771b8566565e6879a4dfbfdb82616ed
• 05a33dbc4b239580748570b6d87a680c61102a11
• e59180bc09cb85a3dbe7aa8d92ef45a8c746adf6
• bdd481fbf10b46c8cc6c29d84bdd8a06a33611bc
• c92e2310328c56268ec8d0630e0f4177f71cec41
• ef6f226412e67e65166df0ce36fd7a661838fb8a
• 750ea11a6cc6cbfdcad22c9eb2d63286608dac87
• 78647b1f0fdc544f512b9cf8aa65198e309a9afd

URL

• http[:]//193[.]164[.]223[.]77[:]7456/h?=1640618495
• http[:]//193[.]164[.]223[.]77[:]7456/77
• http[:]//144[.]48[.]243[.]79[:]17674/C558B828[.]Png

Remediation

• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IoCs in your environment.
• Consider blocking and or setting up detection for all URL and IP based IoCs.
• Keep applications and operating systems running at the current released patch level.