Trojanized installers of the Telegram messaging application are being used to distribute Purple Fox malware, a Windows-based rootkit that is used to establish persistence and deliver further payloads on to a system.
The installer for the malicious Telegram application is an AutoIt script that creates two files; the legitimate Telegram application and the malicious executable. The AutoIt script then executes the malicious executable, which downloads the next stage of the infection. The second stage includes a DLL file that is reflectively loaded on to the system. From there, the malware reads and loads yet another file, which first checks to see if the anti-virus program 360 Total Security is installed on the system. If it is, the malware downloads further files that are used to stop the execution of this particular anti-virus (AV) solution. If it is not, the malware then proceeds to communicate with its command-and-control (C2) infrastructure, including gathering system information and checking for any further security products installed, and sending that information to the server. Finally, the Purple Fox payload itself is downloaded on to the system in the form on an .msi file that contains encrypted shellcode. The Purple Fox payload forces the system to restart in order to make registry changes, such as disabling user account control (UAC), take effect.
The attack is particularly effective due to the number of different files used in the infection chain. This helps the threat actor evade AV detection, as each file separately is useless without the entire set, making it harder for AV products to determine that each file is malicious.