The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software.
“Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers,” Trend Micro researchers said in a report published on March 25, 2022. “The installers are actively distributed online to trick users and increase the overall botnet infrastructure. “
These findings are similar to Minerva Labs’ prior research that revealed a similar method of using fraudulent Telegram apps to spread the backdoor. WhatsApp, Adobe Flash Player and Google Chrome are other disguised software installs.
These packages act as a first-stage loader, triggering an infection sequence that leads to the deployment of a second-stage payload from a remote server and culminating in the execution of a binary that inherits its features from FatalRAT.
FatalRAT is a C++-based implant designed to run commands and exfiltrate sensitive information back to a remote server, with the malware authors incrementally updating the backdoor with new functionality.
“The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim systems,” the researchers said. “Changes can happen if specific [antivirus] agents are running or if registry keys are found. These auxiliary modules support the specific goals of the group. “
Additionally, Purple Fox comes with a rootkit module and supports five commands. These include copying, deleting, and deleting files from the kernel. It also allows you to evade antivirus engines by intercepting file system calls.
These findings follow disclosures by cybersecurity firm Avast that detailed a campaign in which the Purple Fox exploit framework was used as a channel to deploy DirtyMoe’s botnet.
“The operators of the Purple Fox botnet remain active, and they are constantly updating their malware arsenals with new malware. They also upgrade the existing malware versions.” the researchers stated. They are trying to increase their signature rootkit arsenal to [antivirus] avoid detection and to target them with custom signed kernel drivers. “