Fake Telegram Desktop installers can infect our PC with Purple Fox malware (previously hiding in Windows)


In March 2021, a malware called Purple Fox was discovered that had the ability to scan and infect Windows systems accessible through the Internet and then carry out attacks. It was not a new malware, since 2018 it was known because managed to infect computers thanks to phishing emails and exploit kits.

Phishing: what it is and different types that exist

Ahora, Purple Fox you are accessing computers through fake Telegram for Desktop installers, taken from pages that are not official, pretending to be the version of this messaging application intended for PCs. According to what is known, there is a malicious Telegram for Desktop installer that distributes this Purple Fox malware to install more malicious programs on the infected devices.

Ransomware: what it is, how it infects and how to protect yourself

How can you tell if your PC is infected

According to Minerva Labs, the installer is a compiled script from AutoIt called “Telegram Desktop.exe” (you can see the icon in the following image) that leaves two icons, a real Telegram installer and a malicious one.

Telegram Icon 1

Thus, while the legitimate Telegram installer that appears next to the downloader does not run, the AutoIT program does (TextInputh.exe). This AutoIt script is the first part of the attack. Create a new folder called “TextInputh” at C: Users Username AppData Local Temp. There legitimate Telegram installer icon is saved, not even running, and also a malicious downloader (TextInputh.exe). You can see it in this image and you can look at your C disk to verify that this file is missing.

Compiled Autoit 1

When TextInputh.exe runs, it generates a new folder (“1640618495”) at “C: C: Users Public Videos ” and will connect to C2 to download a 7z utility and a RAR file (1.rar). The archive contains the payload and configuration files, ** while the 7z program unpacks them all in the ProgramData folder **.

What can this malware do on an infected PC

Purple Fox Rootkit Flow

When it succeeds in infecting a PC, TextInputh.exe performs the following actions: first it copies 360.tct with name “360.dll”, rundll3222.exe and svchost.txt to the ProgramData folder. After that, run ojbk.exe with the command line “ojbk.exe -a”, delete 1.rar and 7zz.exe and exit the process. According to the details from Minerva Labs, below, a registry key is created for persistence, DLL disables User Account Control and the payload (scvhost.txt) is executed. After this, five files are installed on the computer.

"Microsoft is the best host in the world for malware"According to a former employee in his security area

The purpose of these files is to prevent the security tools you have on your computer from detecting Purple Fox. The malware’s next step is to collect basic system information, check if any security tools are running, and finally send all of that to an encrypted C2 address. After this, Purple Fox is downloaded from C2 as an .msi file with encrypted shellcode for 32-bit and 64-bit systems.


Please enter your comment!
Please enter your name here