The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents.
“A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations,” Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said.
“By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity.”
Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of threat actors continuously innovating their tactics in an attempt to stay stealthy and circumvent defenses.
This is exemplified by the increased complexity and the adoption of advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.
As recently as May 2024, malicious campaigns have leveraged ViperSoftX as a delivery vehicle to distribute Quasar RAT and another information stealer named TesseractStealer.
Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.
Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX.
“AutoIt does not by default support the .NET Common Language Runtime (CLR),” the researchers said. “However, the language’s user-defined functions (UDF) offer a gateway to the CLR library, granting malevolent actors access to PowerShell’s formidable capabilities.”
ViperSoftX harvests system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and dynamically downloads and runs additional payloads and commands based on responses received from a remote server. It also comes with self-deletion mechanisms to challenge detection.
“One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment,” the researchers said. “This integration enables seamless execution of malicious functions while evading detection mechanisms that would typically flag standalone PowerShell activity.”
“Furthermore, ViperSoftX’s ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures.”