Purple Fox: What it is, How it works and How to prevent it.

2 min readJan 20, 2022

Purple Fox was discovered in 2018 and has been spread through various means, including phishing emails, malicious links, and exploit kits. Purple Fox is a Trojan downloader that possesses rootkit properties for avoiding detection among other defences.

This article will explore Purple Fox, how it works and how you can prevent it.

What is Purple Fox?

Purple Fox is a Trojan downloader that includes rootkit properties for avoiding detection, among other defences. It can deliver different threats to the computer, and, usually, will do so after the victim loads a corrupted site’s Exploit Kit or EK.

A malicious Telegram for Desktop installer distributes the Purple Fox malware to install further malicious payloads on infected devices.

Users should preserve secure browser settings, let anti-malware solutions block or remove Purple Fox, and re-secure any potentially collected data, such as passwords.

How does Purple Fox Work?

Purple Fox is a malicious Telegram installer developed as a compiled AutoIt script. Upon implementation, a legitimate Telegram installer is dropped but never used — together with a malicious downloader called TextInputh.exe.

The attack is then separated into various small files, a technique that Minerva says allowed the threat actor to reflect under the radar. Most of the files “had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.”

TextInputh.exe creates a new folder and connects to the malware’s command-and-control (C2) server. 2 new files are then downloaded and implemented, which unpack. RAR archives and a file used to bundle a malicious reflectively.DLL.

A registry key is created to enable persistence on an infected machine. Five further files are plunged into the ProgramData folder to perform functions, including closing down a wide range of antivirus processes before Purple Fox is finally deployed.

How to prevent Purple Fox?

Below are some tips that will help prevent your system from falling victim to Purple Fox.

1. Never neglect your cybersecurity awareness training.

2. Regularly updating and patching your system(s)

3. Adding more advanced layers of security to your network will increase your Purple Fox prevention.

4. Securing and restricting privileges to administrator tools is important to enforce the principle of least privilege.

Conclusion

Exploit Kits (EK) used to be the most popularly used malware in years past. Later, they have gone the way of dial-up — essentially phased out by different malware and tools that can do what EKs do and more.

Purple Fox is an EK that uses the tried-and-true practice of regularly revamping itself with new exploits to stay ahead of the pack of compromised system prospects.