• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Bitter APT Group – Active IOCs
January 4, 2022
Rewterz Threat Alert – APT MustangPanda – Active IOCs
January 4, 2022

Rewterz Threat Alert – Purple Fox Rootkit Distributed Using Malicious Telegram Installer – Active IOCs

January 4, 2022

Severity

Medium

Analysis Summary

This sophisticated attack delivers the Purple Fox Rootkit by dividing the attack process into multiple separate stages that are useless unless the entire file set is present. 

  1. A malicious script “Telegram Desktop.exe” is an Autolt script which runs to create a new folder “TextInputh” that drops a malicious downloader with the same name.
  2. Then TextInputh.exe creates a new folder 1640618495 the video directory that contacts the C&C server to download two files:
    • 1.rar
    • 7zz.exe
  3. TextInputh.exe executes the ojbk.exe that runs with the “-a” argument to load the malicious 360.dll file.
  4. Next the svchost.txt runs to drop five more files:
    • Calldriver.exe
    • Driver.sys
    • dll.dll
    • kill.bat
    • speedmem2.hg
  5. These files work together to shut down and block 360 AV processes from the kernel space. This later installs the Purple Fox Rootkit.

Following information is gathered by the malware and sent to the C&C:

  1. Hostname
  2. CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
  3. Memory status
  4. Drive Type
  5. Processor Type

The Purple Fox payloads are downloaded and executed next. 

purple fox rootkit flow

Purple Fox Rootkit File Creation Flow from Minerva Labs

Impact

  • Gain Access
  • Exposure of Sensitive Data

Indicators of Compromise

IP

  • 193[.]164[.]223[.]77
  • 144[.]48[.]243[.]79

MD5

  • ed1b74827b64fc8913af19b1b745ad1a
  • c398b504f74500d6a1a47f72bb45bc83
  • b947575d0cd7e171bdd38b89b38084da
  • 7c728bdeba5659be53cf9ef243b1902e
  • 96187e12ed4a6f4306516b48634c0926
  • 50d39beb37c8bec70015a8fd1414b867
  • 963a8b3d307992b6e623ff39e34e6a4c
  • 7c074b14a54f7b3846e51cfca778f66f

SHA-256

  • 41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1
  • bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0
  • 797a8063ff952a6445c7a32b72bd7cd6837a3a942bbef01fc81ff955e32e7d0c
  • 26487eff7cb8858d1b76308e76dfe4f5d250724bbc7e18e69a524375cee11fe4
  • b5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3e
  • e2c463ac2d147e52b5a53c9c4dea35060783c85260eaac98d0aaeed2d5f5c838
  • 638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60
  • 4bdfa7aa1142deba5c6be1d71c3bc91da10c24e4a50296ee87bf2b96c731b7fa

SHA-1

  • 4628df1e4771b8566565e6879a4dfbfdb82616ed
  • 05a33dbc4b239580748570b6d87a680c61102a11
  • e59180bc09cb85a3dbe7aa8d92ef45a8c746adf6
  • bdd481fbf10b46c8cc6c29d84bdd8a06a33611bc
  • c92e2310328c56268ec8d0630e0f4177f71cec41
  • ef6f226412e67e65166df0ce36fd7a661838fb8a
  • 750ea11a6cc6cbfdcad22c9eb2d63286608dac87
  • 78647b1f0fdc544f512b9cf8aa65198e309a9afd

URL

  • http[:]//193[.]164[.]223[.]77[:]7456/h?=1640618495
  • http[:]//193[.]164[.]223[.]77[:]7456/77
  • http[:]//144[.]48[.]243[.]79[:]17674/C558B828[.]Png

Remediation

  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IoCs in your environment.
  • Consider blocking and or setting up detection for all URL and IP based IoCs.
  • Keep applications and operating systems running at the current released patch level.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.