ViperSoftX Malware: Now Distributed via eBook Torrents
The sophisticated malware known as ViperSoftX has recently been observed spreading through eBooks on torrent sites. This development highlights the continuous evolution of cyber threats and the innovative tactics employed by threat actors to evade detection.
How ViperSoftX Operates
ViperSoftX utilizes the Common Language Runtime (CLR) to dynamically load and run PowerShell commands within AutoIt. This technique allows the malware to execute malicious functions while bypassing security mechanisms that typically detect standalone PowerShell activity.
Key Points:
• Initial Detection: ViperSoftX was first detected by Fortinet in 2020. Since then, it has evolved to become more sophisticated, employing advanced anti-analysis techniques like byte remapping and web browser communication blocking.
• Recent Campaigns: As of May 2024, ViperSoftX has been used to distribute Quasar RAT and TesseractStealer, two other forms of malicious software.
New Distribution Method: eBook Torrents
Traditionally, ViperSoftX has been spread through cracked software and torrent sites. However, recent findings reveal that cybercriminals are now using eBook lures to distribute the malware. Within the supposed eBook RAR archive, a hidden folder and a deceptive Windows shortcut file masquerade as a benign document. Executing this shortcut initiates a multi-stage infection process.
Infection Sequence
1. Execution of Shortcut File: Triggers the extraction of PowerShell code.
2. Extraction of PowerShell Code: Unhides the concealed folder and sets up persistence on the system.
3. AutoIt Script Interaction: Launches an AutoIt script that interacts with the .NET CLR framework.
4. Decryption and Execution: Decrypts and runs a secondary PowerShell script, which is ViperSoftX.
Capabilities of ViperSoftX A remote code execution flaw in Microsoft Office. This zero-click vulnerability allows attackers to gain high privileges without any user interaction.
Once activated, ViperSoftX performs several malicious activities:
• Harvests System Information:Gathers detailed information about the compromised system.
• Cryptocurrency Wallet Scanning: Searches for cryptocurrency wallets via browser extensions.
• Clipboard Content Capture: Monitors and captures clipboard contents.
• Dynamic Payload Execution: Downloads and runs additional payloads and commands from a remote server.
• Self-Deletion Mechanisms: Implements self-deletion to evade detection and removal.
Advanced Evasion Techniques
A notable feature of ViperSoftX is its ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts, further evading traditional security measures. This capability, combined with its use of CLR within AutoIt, makes ViperSoftX a formidable threat that seamlessly integrates malicious functions while avoiding detection.
Conclusion
The continuous evolution of ViperSoftX exemplifies how cybercriminals innovate to stay ahead of security defenses. The recent use of eBook torrents as a distribution method is a reminder of the diverse tactics employed by threat actors. Staying vigilant and adopting robust security practices are essential in mitigating the risks posed by such sophisticated malware.