The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents. BitTorrent, also referred to as simply torrent, is a communication protocol for peer-to-peer file sharing (P2P), which enables users to distribute data and electronic files over the Internet in a decentralized manner. The protocol is developed and maintained by Rainberry, Inc., and was first released in 2001.
A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations. Using CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity.[1]
Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, malware has become a relevant example of threat actors continuously innovating their tactics to stay stealthy and circumvent defenses. This is demonstrated by the increased complexity and the adoption of advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.
As recently as May 2024, malicious campaigns have leveraged ViperSoftX as a delivery vehicle to distribute Quasar RAT and another information stealer named TesseractStealer. Attack chains propagating the malware are known to employ cracked software and torrent sites, but using eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder and a deceptive Windows shortcut file that purports to be a benign document.
Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework to decrypt and run a secondary PowerShell script, which is ViperSoftX. AutoIt does not by default support the .NET Common Language Runtime (CLR)," the researchers said. "However, the language's user-defined functions (UDF) offer a gateway to the CLR library, granting malevolent actors access to PowerShell's formidable capabilities.
ViperSoftX harvests system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and dynamically downloads and runs additional payloads and commands based on responses received from a remote server. It also comes with self-deletion mechanisms to challenge detection. One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment," the researchers said. "This integration enables seamless execution of malicious functions while evading detection mechanisms that typically flag standalone PowerShell activity." ViperSoftX's ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://thehackernews.com/2024/07/vipersoftx-malware-disguises-as-ebooks.html
Comments