Purple Fox malware operators have expanded their malware arsenal and now possess a new variant of a remote access trojan FataIRAT. Further, at the same time, the operators have improved their evasive capabilities to bypass security software. 

“Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers,” Trend Micro researchers said in a report published on March 25, 2022. “The installers are actively distributed online to trick users and increase the overall botnet infrastructure.”

The findings come after earlier research by Minerva Labs pointed out that a similar method, i.e, using fake Telegram applications to spread the backdoor, was being used. Apart from Telegram, concealed software installers like WhatsApp, Adobe Flash Player, and Google Chrome are being used for hacking. 

These packages are the first-stage loader, starting an infection sequence that results in the planting of a second-stage payload remotely through a server and culminating in executing a binary that gets its features from FataIRAT.

FataIRAT,  a C++-based implant, is designed to run commands and exfiltrate sensitive information back to a remote server, with the malware authors re-equipping the backdoor with new functionality.

“The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim systems,” the researchers said. “Changes can happen if specific [antivirus] agents are running or if registry keys are found. The auxiliary modules are intended as support for the group’s specific objectives.”

Moreover, Purple Fox has a rootkit module and supports five different commands. Commands like copying and deleting files from the kernel, intercepting calls directed at the file system for evading antivirus engines. 

The findings also follow recent disclosures from cybersecurity firm Avast, which detailed a new campaign that involved the Purple Fox exploitation framework acting as a deployment channel for another botnet called DirtyMoe.

“Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while also upgrading the malware variants they have,” the researchers said. “They are also trying to improve their signed rootkit arsenal for [antivirus] evasion and trying to bypass detection mechanisms by targeting them with customized signed kernel drivers.”