Within the instant messaging tools, Telegram is one of the most popular thanks to the variety of options it offers us and how robust this platform is in terms of security.
Also Telegram not only offers you the opportunity to take advantage of its options from the smartphone, but also on the PC, since it has an official version designed for this platform.
However, the presence of fake PC versions of this messaging tool that could put the security of these computers at risk.
It all started in March 2021 with the detection of a malware known as Purple Fox, which acted by scanning and infecting him Windows operating system via the internet in order to make it vulnerable and then proceed to attack it.
It is worth mentioning that before that, in 2018, this same malware had been detected carrying out the infection of computers through phishing emails and exploit kits.
Now it seems that the malware has changed its strategy and is infiltrating computers through fake installers from Telegram for PC from unofficial pages.
In that sense, the installer renders a compiled autoIT script named “Telegram Desktop.exe»That when transferred to the PC generates two icons: a real one from the Telegram installer accompanied by a malicious one.
Although the only way to run the Telegram installer is by clicking on it, in the case of the autoIT program it does not need to be clicked to run, as it does so automatically.
Once this happens, the program proceeds to create a new folder called TextInputh at the address C:UsersUsernameAppDataLocalTemp
In this directory is stored the icon of the legitimate Telegram installer that will not even run, along with the malicious downloader.
Once created TextInputh.exe inside the folder it starts its destructive action by first copying the file 360.tct with name “360.dll“, followed by rundll3222.exe Y svchost.txt in the folder ProgramData.
Then start the execution of the file ojbk.exe, then going to eliminate 1.rar Y 7zz.exe, thereby marking the end of the process.
After this a registry key for persistence is generated, while dll starts disabling the Control of User account, then giving way to the execution of the payload (scvhost.txt) which causes the unauthorized installation of five more files on the computer.
Ultimately, the purpose of these files is to make it difficult for security tools installed on your computer to detect Purple Fox malware.