The Purple Fox Malware attack is once again making headlines globally after cyber-security researchers sounded the alarm about the fake Telegram Messenger apps at present being used to hack devices.
According to research published by the Minerva Labs website, the cyber-security researchers described the Purple Fox rootkit infection as different from intrusions that typically take advantage of legitimate software for dropping malicious payloads.
The way the lethal malware attacks the device is in different stages. After the Telegram installer file gets downloaded, its AutoIt script drops a legitimate installer for the chat app and a malicious downloader called "TextInputh.exe", the latter of which is executed to retrieve the next-stage malware.
The downloaded files then proceed to block antivirus softwares, before advancing to the final stage that results in the download and execution of the Purple Fox rootkit.
“We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems as though some were delivered via email, whereas others we assume were downloaded from phishing websites,” researcher Natalie Zargarov said in the research report.
During the investigation, the cyber-security researchers found that the threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by (antivirus) engines, “with the final stage leading to Purple Fox rootkit infection”.