| Name | ViperSoftX |
| Additional Names | VenomSoftX, Patch.exe, Activator.exe |
| Type of Malware | Cryptocurrency and information stealer (Infostealer) |
| Date of initial activity | 2020 |
| Associated Groups | APT28 (aka Fancy Bear), APT34 (aka IronHusky), Sandworm (aka BlackEnergy), Lazarus Group |
| Motivation | To steal sensitive information from infected computers. The malware can steal a wide range of data, including: Browser login data Cryptocurrency wallets Stored credit card information Passwords and more |
| Attack Vectors | Email, Malware-infected websites, Drive-by downloads, USB drives, P2P file sharing |
| Targeted System | Windows |
Overview
ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it’s distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims.
Targets
- Financial institutions
- Government agencies
- Businesses Individuals with high net worth
Tools/ Techniques Used
ViperSoftX evades initial loader detection and makes its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. It is more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
Impact / Significant Attacks
In 2017, the malware was used to target the Democratic National Committee (DNC) in the United States. The attack resulted in the theft of a large amount of sensitive data, including emails and internal documents.
In 2018, the malware was used to target the Ukrainian government. The attack resulted in the disruption of government websites and the theft of sensitive data.
In 2019, the malware was used to target the Brazilian government. The attack resulted in the disruption of government websites and the theft of sensitive data.
Indicators of Compromise (IoCs)
Domains
apzgt[.]com
apzlkg[.]com
argxztbe[.]com
arrowlchat[.]com
arykd[.]com
awoeru[.]com
bmyfz[.]com
byzvp[.]com
bzepuq[.]com
cdlxgun[.]com
chatgigi2[.]com
cikuwqhrg[.]com
coeuzxk[.]com
craje[.]com
dtoabvxl[.]com
dxwoi[.]com
eafxp[.]com
efsidlop[.]com
elipjo[.]com
eoishgc[.]com
eovykq[.]com
fbtcidr[.]com
ficrolun[.]com
fitbh[.]com
fjvezin[.]com
fvzgab[.]com
fyuncsv[.]com
gcvhixt[.]com
hjizca[.]com
hmtsiqcf[.]com
huict[.]com
iqsxetmug[.]com
iqwcrpyn[.]com
ironz[.]com
iudobjg[.]com
iwaqzhtxj[.]com
jesucwp[.]com
jfgqwxt[.]com
jfumw[.]com
jmzqrhdi[.]com
juobngtm[.]com
jvxbn[.]com
jwxvktr[.]com
jxkfr[.]com
kqidl[.]com
kzvure[.]com
lchtne[.]com
leqxyw[.]com
ljusxki[.]com
lmfho[.]com
lpohvzyd[.]com
lurpk[.]com
mpcnliydb[.]com
msjwl[.]com
njtgwcha[.]com
nlkxzgm[.]com
nmvprzdhf[.]com
nqzpcudae[.]com
ocluhxgpy[.]com
ofxdyqc[.]com
ohkfzawnj[.]com
ondxgiz[.]com
pfxqh[.]com
pstyx[.]com
pzguloqb[.]com
qogrzu[.]com
rcbxmzu[.]com
rimfugvz[.]com
rjcfoabns[.]com
segin[.]com
sgtuxbhz[.]com
sitdrjouq[.]com
suclfpbnw[.]com
tlnikcyqd[.]com
tvrcuohz[.]com
tzsxbynvr[.]com
ugxqj[.]com
umnfw[.]com
uwfmz[.]com
vewga[.]com
vqjumd[.]com
wopsyqi[.]com
xcakdisve[.]com
xsdmcy[.]com
xvfnhw[.]com
yjghwcxel[.]com
ysawrbi[.]com
zcdkjqwgn[.]com
zeiyusv[.]com
zjyhc[.]com
zqiwma[.]com
zrhcnxva[.]com
