Researchers Find Increased Sophistication In ViperSoftX Malware

Researchers have observed improvements in the ViperSoftX info-stealing malware that had been first spotted in 2020. The malware has moved toward employing more sophisticated evasion tactics, refined through the incorporation of the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts distributed through pirated eBook copies.

This clever trick allows the malware to blend in with legitimate system activities, making it harder for security solutions to spot.

ViperSoftX Distributed as Trojan Horse in eBooks

ViperSoftX spreads through torrent sites, masquerading as eBooks. The infection chain of ViperSoftX begins when users access the downloaded RAR archive that includes a hidden folder, a deceptive shortcut file  that appears to be a harmless PDF or eBook along with a PowerShell script, AutoIt.exe, and AutoIt script that pose as simple JPG image files.

When the user clicks on the shortcut file, it initiates a command sequence that begins by listing the contents of “zz1Cover4.jpg”. Subsequently, it reads each line from this file in which commands are cleverly hidden within blank spaces, to a Powershell Command Prompt, effectively automating the execution of multiple commands.

The researchers from Trellix state that the PowerShell code performs several actions, including unhiding the hidden folder, calculating the total size of all disk drives, and configuring Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in, effectively setting up persistence mechanisms on infected systems.

The malware also copies two files to the %APPDATA%MicrosoftWindows directory, renaming one of them to .au3 and the other to AutoIt3.exe.

Increasing ViperSoftX Sophistication

The malware’s use of CLR to run PowerShell within AutoIt is particularly sneaky. AutoIt, typically used for automating Windows tasks, is often trusted by security software. By piggybacking on this trust, ViperSoftX can fly under the radar.

The malware employs additional tricks up its sleeve in the form of heavy obfuscation, deception and encryption to hide its true nature. ViperSoftX uses heavy Base64 obfuscation and AES encryption to hide the commands in the PowerShell scripts extracted from the image decoy files. This level of obfuscation challenges both researchers and analysis tools, making it even more difficult to decipher the malware’s functionality and intent.

The malware even attempts to modify the Antimalware Scan Interface (AMSI) to bypass security checks run against its scripts. By leveraging existing scripts, the malware developers accelerate development and focus on improving their evasion tactics,

Analysis of the malware’s network activity demonstrates attempts to blend traffic with legitimate system activity. Researchers observed the use of deceptive hostnames such as security-microsoft[.]com by the malware to appear more trustworthy and deceive victims into associating the traffic activity with with Microsoft.

Analysis of a suspicious Base64-encoded User-Agent string, revealed detailed amount of system information extracted through PowerShell command execution from infected systems including logical disk volume serial number, computer name, username, operating system version, antivirus product information, and cryptocurrency details.

The researchers warn against the increasing sophistication in ViperSoftX’s operations as its ability to execute malicious functions while evading traditional security measures makes it a formidable opponent.

Related