JAKARTA - The fake Telegram instant messaging application is currently circulating on the Internet, for those of you who don't have it, don't try to be tempted to download this application.

Because, according to a report by cybersecurity researcher Minerva Labs, someone has distributed two files in one download for malware dubbed PurpleFox.

Uniquely, the PurpleFox malware can evade anti-virus detection by splitting the attack into smaller pieces that fly under the radar.

The PurpleFox attack managed to evade detection by anti-virus products such as Avira, ESET, Kaspersky, McAfee, Panda, Trend Micro, Symantec, and many more.

“We frequently observe threat actors using legitimate software to drop malicious files. But this time it was different. The perpetrators of this threat were able to leave most attacks under the radar by splitting attacks into small files, most of which had a very low detection rate by anti-virus engines, with the late stages leading to Purple Fox rootkit infection," the researchers said.

It should be noted that Minerva Labs detects the installer using a compiled AutoIt script named "Telegram Desktop.exe", while the legitimate one is the AutoIT program running the downloader (TextInputh.exe).

Quoting TechRadar, Wednesday, January 5th, this malware will first scan the device, disable any defense mechanisms, install some registry entries, and once ready, the malware will signal to the Command and Control (C2) server, and download stage two malware can be started.

When TextInputh.exe is run, it will create a new folder ("1640618495") under "C:\Users\Public\Videos\" and connect to C2 to download the 7z utility and RAR (1.rar) archive.

The RAR archive contains the payload and configuration files, while the 7z program unpacks everything to the ProgramData folder. TextInput.exe then performs several actions on the infected device.

Among other things, copy 360.tct with the names “360.dll”, rundll3222.exe, and svchost.txt to the ProgramData folder, run ojbk.exe with the command line “ojbk.exe -a”, then delete 1.rar and 7zz. exe and exit the process

And then dropped these five additional files onto the infected system, namely Calldriver.exe, Driver.sys, dll.dll, kill.bat, speedmem2.hg. The five files aim to kill and block the initiation of the protection process of 360 anti-viruses from the kernel space, thus allowing the next stage of attack tools to run undetected.

“The beauty of this attack is that each stage is separated into a different file which is useless without the entire file set. This helps attackers protect their files from anti-virus detection," said Minerva Labs researcher.

After blocking 360 anti-viruses, the malware then compiles a list of system information, checks to see if a long list of security tools is running, and, finally, sends all information to a hardcoded C2 address.

For your information, Purple Fox, which first appeared in 2018, is a malware campaign that until March 2021 required user interaction or some kind of third-party tool to infect Windows machines.

Minerva Labs says that they frequently encounter large numbers of malicious installers who ship versions of the Purple Fox rootkit using the same attack chain. It's not entirely clear how it was distributed, although researchers believe that some were sent via email, while others may have been downloaded from phishing sites.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)