The operators of the Purple Fox malware have supplemented their arsenal with a new version of the Trojan for remote access called FatalRAT, and have also updated their methods of bypassing antivirus solutions.
According to researchers from Trend Micro, criminals attack users by distributing Trojan software disguised as legitimate programs, including Telegram, WhatsApp, Adobe Flash Player and Google Chrome.
Installers start an infection sequence that leads to the deployment of a second-level payload from a remote server and ends with the execution of a binary file with FatalRAT functions.
FatalRAT is a backdoor written in C++ and designed to run commands and transfer confidential information to a remote server. Malware developers are gradually updating the backdoor with new features.
Purple Fox comes with a rootkit module and supports five different commands, including copying and deleting files from the kernel, as well as bypassing antivirus kernels by intercepting calls sent to the file system.