ViperSoftX Malware Now Masquerades as eBooks on Torrents for Stealth Attacks: ViperSoftX, a sophisticated malware strain, is now disguising itself as eBooks on torrent sites to evade detection and execute stealth attacks.
Short Summary:
- ViperSoftX is being distributed as eBooks on torrent websites.
- It uses Common Language Runtime (CLR) to execute PowerShell commands within AutoIt.
- This malware can exfiltrate sensitive data, including cryptocurrency wallet information.
The notorious ViperSoftX malware is up to its nefarious tricks again, this time masquerading as eBooks on torrent platforms. Initially detected by Fortinet in 2020, ViperSoftX is known for its capability to steal sensitive data from Windows systems.
New research reveals that the malware now uses eBook torrents as a delivery method, posing significant risks to unsuspecting users.
According to security researchers Mathanraj Thangaraju and Sijo Jacob from Trellix, the current variant of ViperSoftX employs the Common Language Runtime (CLR) to dynamically load and run PowerShell commands.
This sophisticated method allows it to create a PowerShell environment within AutoIt, facilitating seamless operation and evasion of conventional detection mechanisms.
“By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity,” Thangaraju and Jacob said.
The versatility of ViperSoftX doesn’t end there. As recently as May 2024, cyber attackers leveraged the malware to distribute other harmful tools, including the Quasar Remote Access Trojan (RAT) and TesseractStealer, a potent information stealer.
This multi-functional nature makes ViperSoftX a formidable adversary in the cybersecurity landscape.
One of the most striking features of ViperSoftX is its complex infection chain. The malware’s propagation typically involves cracked software and torrent sites, but the addition of eBook lures marks a novel approach.
Within these eBook RAR archive files lies a deceptive Windows shortcut file masquerading as an innocuous document.
Executing this shortcut initiates a multi-stage infection process beginning with the extraction of PowerShell code. This code unveils hidden folders, establishes persistence on the system, and launches an AutoIt script. This script interacts with the .NET CLR framework to decrypt and execute a secondary PowerShell script, culminating in the full deployment of ViperSoftX.
“AutoIt does not by default support the .NET Common Language Runtime (CLR), but the language’s user-defined functions (UDF) offer a gateway to the CLR library, granting malevolent actors access to PowerShell’s formidable capabilities,” the researchers noted.
The malware’s versatility and stealth are further demonstrated by its capabilities. ViperSoftX harvests a wide array of system information, scans for cryptocurrency wallet data through browser extensions, captures clipboard contents, and dynamically downloads and executes additional payloads based on commands received from a remote server. It also includes self-deletion mechanisms to obstruct detection and removal efforts.
“ViperSoftX’s adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment allows for seamless execution of malicious functions while evading detection mechanisms,” the researchers emphasized.
“Furthermore, ViperSoftX’s ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures,” they added.
The evolution of ViperSoftX is a stark reminder of the ever-changing tactics employed by cyber adversaries. The adoption of novel approaches, such as eBook torrents, highlights the necessity for continuous vigilance and adaptation in cybersecurity practices.
Originally reported by Trend Micro in April 2023, ViperSoftX underwent significant development to integrate advanced anti-analysis techniques such as byte remapping and web browser communication blocking.
This constant evolution showcases the relentless ingenuity of threat actors in achieving their malicious objectives.
For users, this development serves as a crucial reminder of the risks posed by downloading torrents from unverified sources. Cyber hygiene practices, including the use of updated antivirus and a cautious approach to downloading software and documents, are more critical than ever.
Security professionals and organizations must remain proactive in their defense strategies, employing advanced detection mechanisms and educating users about the dangers of illicit downloads to mitigate the threat posed by sophisticated malware like ViperSoftX.
The cyber community awaits further insights and countermeasures as researchers continue to dissect and understand the full scope of ViperSoftX’s operations. Meanwhile, the public must stay informed and vigilant to protect themselves against such persistent cyber threats.
