ViperSoftX malware disguises itself as e-books on torrents to spread stealthy attacks

July 10, 2024Press releaseEndpoint Security/Threat Intelligence

The sophisticated malware called ViperSoftX has been observed being distributed in the form of e-books via torrents.

“A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and execute PowerShell commands, thus creating a PowerShell environment within AutoIt for operations,” said Trellix security researchers Mathanraj Thangaraju and Sijo Jacob.

“By leveraging CLR, ViperSoftX can seamlessly integrate PowerShell functionality to perform malicious functions while evading detection mechanisms that would otherwise flag standalone PowerShell activities.”

First discovered by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of how threat actors are constantly evolving their tactics to remain stealthy and evade defenses.

This is illustrated by the increasing complexity and introduction of advanced anti-analysis techniques such as byte remapping and blocking web browser communication, as documented by Trend Micro in April 2023.

As recently as May 2024, malicious campaigns used ViperSoftX as a distribution medium to spread Quasar RAT and another information stealer called TesseractStealer.

Attack chains spreading the malware are known to use cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Inside the supposed eBook RAR archive file is a hidden folder as well as a rogue Windows shortcut file that pretends to be a harmless document.

Execution of the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that exposes the hidden folder and establishes persistence on the system to launch an AutoIt script, which in turn interacts with the .NET CLR framework to decrypt and execute a secondary PowerShell script named ViperSoftX.

“AutoIt does not support the .NET Common Language Runtime (CLR) by default,” the researchers said. “However, the language’s user-defined functions (UDF) provide a gateway to the CLR library, granting malicious actors access to PowerShell’s vast capabilities.”

ViperSoftX collects system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and dynamically downloads and executes additional payloads and commands based on responses received from a remote server. It also has self-deletion mechanisms to avoid detection.

“One of the outstanding features of ViperSoftX is its clever use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment,” the researchers said. “This integration allows for the seamless execution of malicious functions while bypassing detection mechanisms that would normally flag standalone PowerShell activities.”

“In addition, ViperSoftX’s ability to patch the Antimalware Scan Interface (AMSI) before PowerShell scripts are executed underscores its determination to bypass traditional security measures.”