A malicious Telegram for Desktop installer distributes the purple Fox malware to install more malicious payloads on the affected devices. The installer is a compiled AutoIt script named “Telegram Desktop.exe” that drops multiple files, a real Telegram installer, and a malicious downloader.

During the appropriate Telegram, installer dropped alongside the downloader isn’t run, the AutoIT program does run the downloader.

When TextInputh.exe is executed, it will create a new folder under “C:\Users\Public\Videos” and connect to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpacks everything onto the ProgramData folder.

How to Performs the following actions onto the compromised machine?

• Copies 360.tct with “360.dll” name, rundll3222.exe, and svchost.txt to the ProgramData folder
• Executes ojbk.exe with the “ojbk.exe -a” command line
• Deletes 1.rar and 7zz.exe and exits the process   

Next, a registry key is created for persistence, a DLL (rundll3222.dll) disables UAC, the payload (scvhost.txt) is executed, and the following five additional files are dropped onto the infected system:

• Calldriver.exe
• Driver.sys
• dll.dll
• kill.bat
• speedmem2.hg

The purpose of these extra files is to collectively block the initiation of 360 AV processes and prevent the detection of Purple Fox on the compromised machine. The next step for the malware is to gather basic system information, check if any security tools are running on it, and finally send all that to a hardcoded C2 address.

Once this reconnaissance process is completed, Purple Fox is downloaded from the C2 in the form of a .msi file that contains encrypted shellcode for both 32 and 64-bit systems. Upon execution of Purple Fox, the infected machine will be restarted for the new registry settings to take effect, most importantly, the disabled User Account Control (UAC).

What are the three registry keys to archives this?

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecure

Desktop Disabling avoiding UAC is essential because it provides any program that executes on the infected system, including viruses and malware, administrator privileges. In general, UAC prevents the unauthorized installation of apps or the changing of system settings, so it should stay active on Windows at all times.

Undermining it allows Purple Fox to execute malicious functions such as file search and exfiltration, process killing, omission of data, downloading and executing code, and actually advancing to other Windows systems.

At this time, it is weird how the malware is being distributed but similar malware campaigns impersonating legitimate software were distributed through YouTube videos, forum spam, and shady software sites.