Purple Fox malware has been wreaking all sorts of havoc on personal computers since 2018, infecting more than 30,000 machines globally. The latest studies found that Purple Fox hackers continue improving their infrastructure and adding new backdoors.

To expand the botnet scale, Purple Fox is spreading trojanized installers that masquerade as legitimate software packages. The disturbing factor is that the attackers have developed a new arrival vector powered by early access loaders.

The upgraded malware FatalRAT is a fresh variant of a remote access trojan with a signed rootkit arsenal for antivirus evasion.

FatalRAT Detection

Our newest Sigma-based detection by Nattatorn Chuensangarun detects FatalRat behavior retooled by Purple Fox malware operators to bypass security software.

Possible FatalRAT Behaviour Evasion by bypass Security Software (via process_creation)

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Process Discovery (T1057), Command and Scripting Interpreter (T1059), and Process Injection (T1055) techniques.

Another Sigma rule created by our prolific Threat Bounty developer Emir Erdogan detects FatalRat registry behaviors. 

Possible FatalRAT Behaviour (via reg.exe)

The rule addresses the Modify Registry (T1112) and Obfuscated Files or Information (T1027) MITRE ATT&CK® techniques.

You can immediately access a list of all the currently available detection content to spot possible attacks of a new variant of FatalRAT by clicking View Detections and logging into your SOC Prime platform account. And if you are a security researcher or an engineer, you can share your expertise by contributing to our Threat Bounty program.

View Detections Join Threat Bounty

FatalRAT Analysis

The first-stage loaders of FatalRAT are hidden within software packages that resemble loaders of applications like Telegram, Chrome, Adobe, and WhatsApp. One character at the end of the name of an executable file corresponds with a specific payload. A request for the second-stage payload comes from this single character and is being sent by the first EXE to a C&C server.

Similar to their previous campaigns, Purple Fox uses HTTP file servers (HFS) to operate C&C servers, hosting files for the infected machines that function as their bots. One of the exposed HFS servers was analyzed by researchers and showed a high frequency of software packages updating. Approximately every nine days around 25 packages are being updated. As of the end of March 2022, this process is still running.

FatalRAT is a C++-based implant that packs extensive remote access functionality for attackers. It can download and execute additional modules of different kinds, depending on the results of scanning the infected system and specific objectives of the botnet. The execution of FatalRAT is adjusted if the malware finds registry keys or antivirus agents. 

Antivirus evasion also includes using portable executable modules (PE) with a wide range of capabilities. For example, one of the latest clusters of FatalRAT has links to older malware families, like a previously documented Purple Fox MSI installer. Beyond that, it shows a variety of rootkit capabilities in additional PE modules, the ability to parse a number of system APIs addresses and resolve different system APIs from earlier payloads.

The latest activity of Purple Fox might require special attention from SOC teams because of the extended functionality of FatalRAT. Its customized user-mode shellcode loader doesn’t rely on the native loader while minimizing the forensic evidence it leaves after the execution. And due to little evidence, it becomes especially challenging to trace the ongoing activity of FatalRAT. Furthermore, the malware abuses legitimate code signing certificates and unprotected Windows kernel drivers. Avail the benefits of SOC Prime’s Detection as Code platform to ensure that your SOC team can implement the most recent detection content within the shortest timeframe.