Purple Fox malware, first discovered in 2018, has been retooled with a new variant of a remote access trojan called FatalRAT. Its evasion mechanisms have been upgraded to bypass security software.
FatalRAT is designed to run commands and exfiltrate sensitive data back to a remote server, with the malware operators gradually updating the backdoor with new functionality.
Purple Fox comes with a rootkit module and support for five different commands, including deleting and copying files from the kernel. Additionally, it evades antivirus engines by intercepting calls sent to the file system.
In a report published on March 25, 2022, Trend Micro researchers said that trojanized software packages pretending to be legitimate application installers target users’ machines; they are actively distributed online to trick users and increase overall botnet infrastructure.
“Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while also upgrading the malware variants they have,” the researchers said. “They are also trying to improve their signed rootkit arsenal for [antivirus] evasion and trying to bypass detection mechanisms by targeting them with customized signed kernel drivers.”
Prior research from Minerva Labs has shown a similar mode of leveraging false Telegram applications to distribute the backdoor. Other disguised software installers include Adobe Flash Player, WhatsApp, and Google Chrome.
These packages acting as a first-stage loader, trigger an infection sequence that leads to the deployment of a second-stage payload from a remote server and culminates in the execution of a binary which inherits its features from FatalRAT.
“The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim systems,” the researchers said. “Changes can happen if specific [antivirus] agents are running or if registry keys are found. The auxiliary modules are intended to support the group’s specific objectives.”
Also, the findings follow a recent disclosure from cybersecurity firm Avast that detailed a new campaign involving the framework of the Purple Fox exploitation acting as a deployment channel for another botnet called DirtyMoe.