ViperSoftX Malware Poses As eBooks On Torrents
Recent media reports have shed light on the ViperSoftX malware which is being disguised as eBooks and distributed over torrents. As of now, the malware is capable of executing malicious functions and can evade detection mechanisms as well. In this article, we’ll dive deep into the ViperSoftX malware and learn about its attack capabilities.
The ViperSoftX Malware Uncovered
The ViperSoftX malware was initially detected by Fortinet in 2020. The malware is known for its ability to acquire sensitive information from the compromised devices.
Given its abilities, the malware has become a relevant example of threat actors continuously innovating their tactics to bypass defence protocols. To do this ViperSoftX embodies malware anti-analysis techniques that include byte mapping and web browser communication blocking.
It’s worth mentioning here that both of these techniques have been documented by Trend Micro in April 2023. In May 2024, the malware was used as a distribution medium for Quasar RAT and the TesseractStealer.
ViperSoftX Attack Chain
As far as the attack chains are concerned, both cracked software and torrent sites have been used. An element to the attack chains, however, is the use of eBooks to lure targets. To carry out such an approach, threat actors add a hidden folder and malicious Windows shortcut file to the eBook RAR file.
The shortcut file, initially appearing to be harmless, upon execution, initiates a multi-stage infection sequence. The attack sequence starts with the extraction of a PowerShell code. This code is used to reveal the hidden folder and sets up persistence on the system to launch an Autolt script.
This script then interacts with the .NET CLR framework and is used to decrypt and run another PowerShell script which is the malware itself.
Attack Capabilities Of The ViperSoftX eBook Distribution Malware
Once the malware is activated, it harvests system information. Common examples of this information include things:
- Capturing clipboard content.
- Scanning for crypto wallets via browser extensions.
Apart from acquiring information, the ViperSoftX malware also downloads and operates additional payloads and commands based on responses it receives from a remote server. What makes this malware increasingly severe is that it comes with self-deletion mechanisms, allowing it to avoid detection.
Providing further insights into the capabilities of the malware, researchers have stated that:
“One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment. This integration enables seamless execution of malicious functions while evading detection mechanisms that would typically flag standalone PowerShell activity.”
In addition, the ViperSoftX malware also has the ability to patch the Antimalware Scan Interface before executing any PowerShell script. Such capabilities serve as a testament to the severity of the threat now imposed by malware that can bypass traditional security measures and dictates the need for a more proactive approach to online security.
Conclusion
The ViperSoftX malware, masquerading as eBooks, exemplifies the evolving tactics of cybercriminals. With its advanced anti-detection capabilities and use of PowerShell within AutoIt, ViperSoftX can effectively compromise systems and evade traditional security measures. This highlights the critical need for advanced cybersecurity solutions to combat sophisticated threats. Stay vigilant, stay secure.
The sources for this piece include articles in The Hacker News and Vumetric Cyber Portal.