ViperSoftX Malware Abuses CLR & AutoIt to Execute Malicious Functions & Evade Detection

ViperSoftX, a sophisticated malware evolving since 2020 that now primarily distributes via eBook torrents, has transitioned from cracked software distribution. Using CLR, it creates a PowerShell environment within AutoIt to execute malicious functions while evading detection. 

The malware employs a strategy of adapting offensive security scripts for malicious purposes, accelerating development and enhancing evasion techniques, making it a challenging threat to detect and mitigate. 

Malware infection flow

The attack vector involves users downloading a malicious eBook torrent, which contains a RAR archive disguised as a legitimate eBook. Within this archive, a hidden folder replicates its contents, excluding a decoy PDF, while a shortcut file, masquerading as a JPG, executes PowerShell commands embedded within a seemingly blank JPG file. 

This intricate deception leverages LNK file execution, command line manipulation, and PowerShell obfuscation to automate malicious activities without direct user interaction. 

Concealed PowerShell code

The PowerShell script unhides a hidden folder, calculates total disk space, and uses this value to name an AutoIt script and a scheduled task, which configures the task to run every 5 minutes at logon and every 10 minutes daily. 

The script copies and renames files to the %APPDATA% folder, creating an AutoIt executable and script, then deletes all shortcut files in the current directory, potentially concealing malicious activity within the decoy eBook in the hidden folder. 

Hidden folder content highlights the decoy eBook

It heavily obfuscated AutoIt scripts to conceal malicious activities. By leveraging AutoIt’s user-defined functions, attackers gain access to the.NET Common Language Runtime, enabling covert execution of PowerShell commands. 

This allows them to harness PowerShell’s capabilities within the AutoIt environment, expanding the potential for malicious actions and evading detection. 

PowerShell Script within AutoIt using .NET CLR

The _PatchAMSI function in ViperSoftX aims to circumvent AMSI detection by modifying the behavior of the AmsiScanBuffer function, which is achieved by loading the necessary DLL, locating the AmsiScanBuffer function’s memory address, altering memory protections, and overwriting the function’s initial instructions with custom opcodes. 

The opcodes are designed to force the function to return an error code, effectively disabling AMSI’s scanning capabilities and allowing malicious PowerShell scripts to execute undetected. 

Attempt to bypass AMSI Detection

ViperSoftX employs layered encryption and obfuscation to conceal its malicious PowerShell payload by extracting system information, including cryptocurrency wallet details, and exfiltrating this data to a C2 server using deceptive techniques like a spoofed hostname and a custom User-Agent. 

According to Trellix, the malware dynamically receives further commands, captures clipboard content, performs antivirus checks, and possesses self-deletion capabilities, demonstrating its adaptability and persistence. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here