ViperSoftX, a sophisticated malware first identified in 2020, has evolved to a more complex form that now utilizes eBooks on Torrent sites as a means of spreading across systems. This malware differs from others as its creators focus on utilizing offensive security scripts components rather than just developing new code, making it a significant threat to users seeking effective countermeasures. To combat ViperSoftX effectively, a deep understanding of its infection chain, payload execution, and stealth techniques is essential for the development of robust preventive measures.
Recent findings by cybersecurity researchers at Trellix have revealed that the latest variant of ViperSoftX utilizes Common Language Runtime (CLR) to load PowerShell commands into AutoIt dynamically. This integration enhances the malware’s evasive capabilities and enables stealthy PowerShell execution, further complicating the threat landscape for users.
The attack vector employed by ViperSoftX begins with unsuspecting victims downloading what appears to be a legitimate book from a malicious torrent site. However, the RAR archive containing the hidden threats, including deceptive shortcuts, disguised scripts, and folder structures that mimic images, sets off a series of commands upon execution. These commands unveil the hidden folder, manipulate disk sizes, create persistent Windows tasks, and implant hidden AutoIt scripts into the operating system.
This multi-stage attack leverages file obfuscation and automation to deploy malware while evading detection. By leveraging AutoIt’s ability to interact with the .NET CLR framework, ViperSoftX executes PowerShell commands stealthily, evades Anti-Malware Scan Interface (AMSI), decrypts payloads, and extracts system information to target cryptocurrency wallets.
The collected data, including detailed user system information, is transmitted to the malware’s Command and Control (C2) server through obfuscated hostnames and Base64-encoded user agents. To further evade detection, ViperSoftX uses the pOPSKX function to establish a web client, send abnormal POST requests with zero content length, and utilize Cloudflare services to obscure the origin of the traffic, ensuring anonymity.
Additionally, ViperSoftX performs various malicious activities such as capturing screenshots, searching for additional payloads, conducting reconnaissance against targets, and implementing a self-destruct mechanism as needed. By running PowerShell within AutoIt via CLR, the malware evades detection and bypasses AMSI, posing a significant challenge to traditional security measures.
Developing a comprehensive defense strategy against ViperSoftX requires a thorough understanding of its tactics and capabilities. By implementing advanced security measures, organizations can mitigate the risks posed by this sophisticated malware. With the landscape of cyber threats constantly evolving, staying vigilant and prepared to combat advanced malware like ViperSoftX is crucial to safeguarding sensitive data and systems.