The notorious ViperSoftX malware, renowned for its ability to steal cryptocurrency information, has now evolved to incorporate Tesseract, an open-source OCR engine. This new incorporation allows the malware to target infected systems by extracting text from images, which is then scanned for phrases related to passwords or cryptocurrency wallets.
Once a match is identified, the malware exfiltrates the corresponding image by utilizing existing functionalities like remote command execution while focusing on a novel technique for sensitive data extraction. Attackers have also been observed deploying additional malware strains through ViperSoftX, such as Quasar RAT and TesseractStealer.
ViperSoftX, a hybrid malware combining remote access trojan (RAT) and information stealing capabilities, primarily targets Windows systems. Initially distributed disguised as cracks or keygens, this malware injects RAT malware for system control and infostealer for capturing cryptocurrency wallet addresses.
Avast, in its analysis, identified a 2022 variant of ViperSoftX utilizing PowerShell scripts with clipboard manipulation and the ability to install additional payloads. VenomSoftX, as another facet of the malware, is exploited by attackers to deploy malicious browser extensions for Chrome-based browsers in the quest for stealing valuable data.
TrendMicro’s 2023 report unveiled updated routines within ViperSoftX that specifically target popular password managers like KeePass 2 and 1Password. The malware has also been documented to extract system information, usernames, software lists, and cryptocurrency data by obfuscating the User-Agent string with Base64 encoding.
The latest iteration of ViperSoftX evolves through a dropper named win32.exe, which injects Svchost.exe and System32.exe into the system and registers a PowerShell script update.ps1 to execute tasks periodically. Despite fewer functionalities in this version, it can download additional malware such as Quasar RAT or TesseractStealer through PowerShell scripts.
Quasar RAT, an open-source RAT developed in .NET, grants attackers remote access to compromised systems and enables various manipulations such as file transfer, process control, and registry modifications. The malicious capabilities of Quasar RAT extend to keylogging and credential collection to facilitate information theft.
A report from AhnLab Security Intelligence Centre (ASEC) revealed that real-time control can be achieved through remote desktop functionality facilitated by Quasar RAT. Since July 2023, attackers have been seen distributing Quasar RAT at scale through ViperSoftX, showcasing the widespread adoption of this malware strain.
Recent instances have highlighted the use of Tor anonymized communication by ViperSoftX to establish connections with Command and Control servers hosted on the Tor network. This affirms the attackers’ commitment to maintaining anonymity and evading detection while carrying out their malicious activities.
TesseractStealer, often deployed alongside Quasar RAT, employs the Tesseract library for Optical Character Recognition (OCR) to target image files on the compromised system. By extracting text from these images, the malware searches for specific strings related to sensitive information like One-Time passwords, password recovery data, and cryptocurrency wallet addresses, indicating a focus on stealing cryptocurrency assets.
In conclusion, the continuous evolution and adaptation of ViperSoftX underscore the persistent threat posed by sophisticated malware strains in the realm of cybersecurity. Organizations and individuals alike must remain vigilant and employ robust security measures to safeguard against such malicious threats.