Operators behind Purple Fox have reportedly modified their attack infrastructure with new tools. Trend Micro’s report reveals that the attackers are using trojanized software packages masquerading as legitimate application installers to gain initial entry into the victim’s network. The impersonated installers are actively distributed on various online platforms to trick users and increase the overall botnet infrastructure.
In addition to this, the attackers have also unleashed a new variant of FatalRAT malware that includes new evasion techniques.
How does the infection chain unfold?
The findings follow prior research from Minerva Labs that shed light on a similar modus operandi of leveraging fraudulent Telegram applications to distribute the backdoor.
As part of the campaign, the attackers use popular legitimate application names like Telegram, WhatsApp, Adobe, and Chrome to hide their malicious package installers to distribute Purple Fox.
Most of the applications impersonated are commonly used by Chinese users.
These packages act as a first-stage loader, triggering an infection sequence that leads to the deployment of a second-stage payload from a remote server and culminating in the execution of a binary that inherits its features from FatalRAT.
Tools leveraged to distribute Purple Fox malware
Trend Micro further talks about the tools employed by Purple Fox malware. These include a compressed RAR package, second stage loaders, and a file svchost.txt which has all the components of the malicious portable executable (PE) module.
Additionally, FatalRAT is leveraged to launch the malware. The RAT is responsible for loading and executing auxiliary modules based on checks performed on the victim systems.
Conclusion
Operators of the Purple Fox malware are still active and consistently updating their arsenal with new malware. They are also trying to improve their signed rootkit arsenal for evasion and trying to bypass detection mechanisms by targeting them with customized signed kernel drivers.