1. Homepage
  2. Equities
  3. Canada
  4. Toronto Stock Exchange
  5. BlackBerry Limited
  6. News
  7. Summary
    BB   CA09228F1036


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Threat Thursday: Purple Fox Rootkit

01/20/2022 | 10:01am EDT
Threat Thursday: Purple Fox Rootkit

Purple Fox rootkit is an active malware campaign that has been distributed using a fake malicious Telegram installer since early 2022. Purple Fox attempts to stay under the radar by breaking its attack chain down into multiple discrete stages. Each stage of the attack is carried out by a different file, with each file being useless without the entire file set. While using legitimate installers is already a popular technique, using such a popular application is certainly notable, as is breaking up the malware's functionality to make analysis more difficult.

The malware's main goal is to gain a foothold on targeted Windows® machines by loading a rootkit that is planted beyond the reach of antivirus (AV) products, helping the malware remain hidden. This rootkit provides the attacker with a backdoor into the victim's machine, from which further malicious activity can be carried out.

Operating System
Risk & Impact
Technical Analysis

The attack chain for Purple Fox begins when the victim is lured into launching a Trojanized installer for the popular instant messaging application Telegram, a freeware, cross-platform, cloud-based service. The installer is an AutoIt-compiled script, which appears on desktops with the icon shown in Figure 1.

Figure 1 - Fake malicious installer "Telegram Desktop.exe"

When launched, this fake Telegram installer will create a directory called "TextInputh" within the "AppData/Temp" folder. The installer drops two files into this directory. One of the files is a legitimate copy of Telegram.exe, which is not launched or used in the attack chain, but it is created to help the malicious installer appear legitimate to the target. The other file is an executable called "TextInputh.exe," as shown in Figure 2.

Figure 2 - Files dropped to Temp directory by fake installer

TextInputh.exe is the main malicious downloader. When executed, it will reach out to its command-and-control (C2) server, which at the time of writing was hosted at 193[.]164[.]223[.]77 (as shown below), to retrieve the next-stage payloads.

Figure 3 - Main downloader creating a connection with the C2

The downloader creates a folder within the "Users/Public/Videos" directory, which is named using a combination of random numbers. In the analysis carried out for this report, the folder was named "1642069858." The files retrieved from the C2 server are stored in this folder.

The first file downloaded is an archive file called "1.rar." The second file is a copy of 7Zip called "7zz.exe," which is used to extract the RAR archive. The unzipped archive contains four files, as seen in Figure 4. Once these four files have been extracted, the initial archive and the 7Zip application are both automatically deleted from the machine.

Figure 4 - Contents of "1.rar" archive retrieved from C2

TextInputh.exe also creates a copy of "360.tct," "rundll3222.exe" and "svchost.txt" within the "/ProgramData" folder. The file "ojbk.exe" is used to load the file "360.tct", as seen in Figure 5. This is a DLL file that is used to read and execute the payload contained within svchost.txt.

Figure 5 - File "ojbk.exe" is used to load the DLL "360.tct"

When svchost.txt is executed, it drops five additional files into the "/ProgramData" folder. These files are named "Calldriver.exe," "Driver.sys," "dll.dll," "kill360.bat," and "speedmem2.hg."

The DLL file "dll.dll" performs a User Account Control (UAC) bypass by modifying the value of three registry keys to zero. Many malware authors use this technique to elevate process privileges on a system. The registry keys in question are as follows:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem ConsentPromptBehaviorAdmin
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemPromptOnSecureDesktop

The five dropped files work together, with the goal of disabling and blocking antivirus programs, in particular the security solution "360 AV," a free antivirus and system optimization utility. This evasion technique is done prior to the deployment of the final Purple Fox payload, to allow the rootkit to be planted and launched without being detected.

The file "kill360.bat" is a script that is used to prevent 360 AV processes from running. Within this script, the names of the four other files that help achieve this can be seen.

This BAT script is used to place a copy of the SQL file "speedmem2.hg" into the 360 AV directory. Once the files have been executed, the script deletes them from the "/ProgramData" directory in a bid to clean up after itself and remain undetected on the target machine.

Figure 6 - Functionality of "kill360.bat"

The Purple Fox malware continues the attack chain by performing a check on the infected machine for the presence of a pre-set list of antivirus products. This list includes vendors such as TrendMicro, Kaspersky and McAfee.

The malware will also perform a scan of the victim's machine to gather a range of information, including the hostname, CPU type, driver type and memory status. This information is then exfiltrated to the C2 server, which in this instance is hosted at 144[.]48[.]243[.]79.

At the time of our investigation, this C2 server was no longer online, and as a result, the last stage of the attack that retrieves the rootkit could not be replicated directly. However, for analysis purposes, a copy of the payload from the above C2 address that contains the rootkit has been retrieved from VirusTotal.

Figure 7 - MSI file which contains kernel payload

The payload is an MSI file which contains encrypted shellcode. When launched, it displays an installation screen and prompts the victim to give a "yes" or "no" response, as shown in Figure 7.

Once the victim has approved the prompt, the system performs a restart. This allows for registry key changes, including the UAC bypass, to take effect and it allows the rootkit to be deployed at the kernel level without disruption.


Malware bundling itself with legitimate installers to gain access to a victim's machine is not new to world of cybersecurity. Indeed, the threat our team covered last week, Jupyter infostealer, also uses this highly effective technique. However, the manner in which Purple Fox goes about this malicious activity brings a new level of creativity to the way these intrusions are performed.

The multistage attack chain used by the latest version of Purple Fox is a devious addition, which will aid the attacker in remaining undetected by security solutions. This innovative approach to evasion and disguise makes it easier for Purple Fox to deliver and deploy its final rootkit payload to the target machine. From here, the possibilities for further malicious activity are practically endless.


The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

import "pe"

rule Purple_Fox {
description = "Detects Purple Fox Rootkit"
author = "BlackBerry Threat Research Team"
date = "2022-01-10"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"

$s1 = "C:\Users\Public\Videos\%d"
$s2 = "\1.rar"
$s3 = "\7zz.exe"
$s4 = "\rundll3222.exe"
$s5 = "\ojbk.exe"
$s6 = ""
$s7 = "\360.tct"
$s8 = "C:\ProgramData\360.dll"
$s9 = "\svchost.txt"

//PE File
uint16(0) == 0x5a4d and

// PE Sections
pe.number_of_sections == 5 and

//All Strings
all of ($s*) )

Indicators of Compromise (IoCs)

C2 Servers

  • 193[.]164[.]223[.]77
  • 144[.]48[.]243[.]79

File Names

  • Telegram Desktop.exe
  • TextInputh.exe
  • 1.rar
  • rundll3222.exe
  • svchost.txt
  • 360.tct
  • Kill360.bat
  • speedmem2.hg
  • dll.dll
  • Driver.sys
  • Calldriver.exe

Registry Key

BlackBerry Assistance

If you're battling this malware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global team standing by to assist you with around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.



BlackBerry Ltd. published this content on 20 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 January 2022 15:00:05 UTC.

© Publicnow 2022
05/20BlackBerry Provides Long-term Financial Targets
05/19BLACKBERRY LTD : Other Events, Financial Statements and Exhibits (form 8-K)
05/18BlackBerry forecasting annual revenues nearly doubling in five years
05/18IIROC Trade Resumption - BB
05/18IIROC Trading Halt - BB
05/18BlackBerry Down 5.8% After Hours as it Releases Five-Year Financial Targets
05/18BLACKBERRY BRIEF : Expects To Be Approaching Breakeven Non-GAAP EPS and Cashflow in FY24; ..
05/18BLACKBERRY BRIEF : Expects To Be Modestly Non-GAAP EPS and Cashflow Negative in FY23 Due T..
05/18BLACKBERRY BRIEF : Investing Near 30% of Revenue on Research & Development in FY23
05/18BLACKBERRY BRIEF : Co Targeting An Average 100+ Basis Points Increase in Non-GAAP Gross Ma..
More news
Analyst Recommendations on BLACKBERRY LIMITED
More recommendations
Financials (USD)
Sales 2023 690 M - -
Net income 2023 -224 M - -
Net Debt 2023 333 M - -
P/E ratio 2023 -15,4x
Yield 2023 -
Capitalization 3 417 M 3 417 M -
EV / Sales 2023 5,44x
EV / Sales 2024 4,58x
Nbr of Employees 3 325
Free-Float 98,9%
Duration : Period :
BlackBerry Limited Technical Analysis Chart | BB | CA09228F1036 | MarketScreener
Technical analysis trends BLACKBERRY LIMITED
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus UNDERPERFORM
Number of Analysts 8
Last Close Price 5,92 $
Average target price 6,64 $
Spread / Average Target 12,1%
EPS Revisions
Managers and Directors
John S. Chen Executive Chairman & Chief Executive Officer
Steve Rai Chief Financial Officer
Charles Eagan Chief Technology Officer
Christopher Hummel Chief Information Officer
Randall Cook Secretary, Chief Legal, Compliance & Risk Officer
Sector and Competitors
1st jan.Capi. (M$)
AVAST PLC-20.32%6 280
DARKTRACE PLC-13.59%2 924
KNOWBE4, INC.-31.08%2 768