Experts have warned users to beware a malware downloader pretending to be an installer for popular communications platform Telegram.
According to cybersecurity researchers Minerva Labs, someone is distributing two files in a single download - one is a legitimate Telegram installer, while the other one is an AutoIT program, also a downloader, but for the PurpleFox malware.
When downloaded, the Telegram one doesn’t run, but the AutoIT one does. It seems to be a two-stage application, with the first stage being scouting and reconnaissance. The malware will first scan the device, disable any defense mechanisms, install a few registry entries, and once it’s ready, it will signal to its Command and Control (C2) server, and the download of the stage two malware can begin.
Flying under the radar
Stage two, the actual Purple Fox, can do plenty of damage to the target device, from file search and exfiltration, to process killing, data deletion, as well as worming into other Windows systems, or downloading and running other malicious code.
While Minerva labs’ report doesn’t dig deeper into who is behind the attack, it does say that the multi-stage approach makes it harder for cybersecurity solutions to spot and mitigate the threat.
“This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV (antivirus) engines, with the final stage leading to Purple Fox rootkit infection,” it explains.
It also said that the files are being distributed in different ways, from email, to phishing websites. The good news is that by the time the researchers published their results, the C2 server was already down.
Remember folks, always make sure to download your software from legitimate sources, and to question everything you get in an email.
- You might also want to check out our list of the best firewalls right now