The subtle malware referred to as ViperSoftX has been noticed being distributed as eBooks over torrents.
“A notable side of the present variant of ViperSoftX is that it makes use of the Widespread Language Runtime (CLR) to dynamically load and run PowerShell instructions, thereby making a PowerShell surroundings inside AutoIt for operations,” Trellix security researchers Mathanraj Thangaraju and Sijo Jacob stated.
“By using CLR, ViperSoftX can seamlessly combine PowerShell performance, permitting it to execute malicious features whereas evading detection mechanisms which may in any other case flag standalone PowerShell exercise.”
Initially detected by Fortinet in 2020, ViperSoftX is understood for its skill to exfiltrate delicate data from compromised Home windows hosts. Over time, the malware has change into a related instance of risk actors repeatedly innovating their ways in an try to remain stealthy and circumvent defenses.
That is exemplified by the elevated complexity and the adoption of superior anti-analysis strategies akin to byte remapping and net browser communication blocking, as documented by Development Micro in April 2023.
As just lately as Could 2024, malicious campaigns have leveraged ViperSoftX as a supply car to distribute Quasar RAT and one other data stealer named TesseractStealer.
Attack chains propagating the malware are recognized to make use of cracked software program and torrent websites, however using eBook lures is a newly noticed method. Current inside the supposed eBook RAR archive file is a hidden folder in addition to a misleading Home windows shortcut file that purports to be a benign doc.
Executing the shortcut file initiates a multi-stage an infection sequence that begins with the extraction of PowerShell code that unhides the hid folder and units up persistence on the system to launch an AutoIt script that, in flip, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX.
“AutoIt doesn’t by default help the .NET Widespread Language Runtime (CLR),” the researchers stated. “Nonetheless, the language’s user-defined features (UDF) provide a gateway to the CLR library, granting malevolent actors entry to PowerShell’s formidable capabilities.”
ViperSoftX harvests system data, scans for cryptocurrency wallets by way of browser extensions, captures clipboard contents, and dynamically downloads and runs further payloads and instructions primarily based on responses obtained from a distant server. It additionally comes with self-deletion mechanisms to problem detection.
“One of many hallmark options of ViperSoftX is its adept use of the Widespread Language Runtime (CLR) to orchestrate PowerShell operations inside the AutoIt surroundings,” the researchers stated. “This integration permits seamless execution of malicious features whereas evading detection mechanisms that will usually flag standalone PowerShell exercise.”
“Moreover, ViperSoftX’s skill to patch the Antimalware Scan Interface (AMSI) earlier than executing PowerShell scripts underscores its willpower to bypass conventional security measures.”
