Operators software Purple Fox has retooled their malware arsenal with a new variant of remote access trojan called FatalRAT, while also upgrading their evasion mechanism to bypass security software.
“Users’ machines were targeted through trojanized software packages masquerading as application installers,” Trend Micro researchers said in a report published on March 25, 2022. legal”.
Findings based on previous research from Minerva Labs shed light on a similar mode of operation that leverages fraudulent Telegram apps to distribute backdoors. Other disguised software installers include WhatsApp, Adobe Flash Player and Google Chrome.
These packages act as a first stage loader, triggering an infection chain that leads to the deployment of a second stage payload from a remote server and culminates in the execution of a binary that inherits the properties its power from FatalRAT.
FatalRAT is a C++-based implant designed to run commands and extract sensitive information back to a remote server, with the malware authors incrementally updating the backdoor with new functionality. .
The RAT is responsible for loading and executing the backend modules based on the checks performed on the victim system. “Changes are possible if specific [antivirus] agent is running or if a registry key is found. Ancillary modules are intended to support specific team goals. “
Furthermore, Purple Fox, which comes with a rootkit module, supports five different commands, including copying and deleting files from the kernel as well as avoiding anti-virus engines by intercepting calls sent to the file system.
The findings also follow recent revelations from cybersecurity firm Avast, which detail a new campaign involving the Purple Fox mining framework that acts as a deployment channel for another botnet that has a potential The name is DirtyMoe.
“The operators of the Purple Fox botnet remain active and continuously update their arsenals with new malware and upgrade the malware variants they possess,” the researchers said. Yes”. “They are also trying to improve their signed rootkit arsenal to [antivirus] evade and attempt to bypass detection mechanisms by targeting them with custom signed kernel drivers. “