A large number of victims in the consumer and enterprise sectors located in Australia, Japan, US and India have been affected by information-stealing malware called ViperSoftX.
ViperSoftX was first documented in 2020, with cybersecurity firm Avast detailing a November 2022 campaign that leveraged malware to distribute malicious Google Chrome extensions capable of siphoning cryptocurrency from wallet applications.
Now a new analysis from Trend Micro has disclosed the malware’s adoption of “more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and blocking of web browser communications.”
ViperSoftX’s arrival vector is usually a software crack or key generator (keygen), while also using actual non-malicious software such as multimedia editors and system cleaning applications as “operators”.
One of the key steps the malware takes before downloading the first stage of the PowerShell loader is a series of anti-virtual engine, anti-monitoring, and anti-malware checks.
The loader then decrypts and executes a second stage of PowerShell script fetched from the remote server, which then takes care of launching the main routine responsible for installing rogue browser extensions to extract crypto wallet passwords and data.
The main command-and-control (C&C) server used for the second stage of the download was observed changing monthly, indicating an attempt on the part of the actor to avoid detection.
“It also uses some basic anti-C&C analysis by disallowing communication using web browsers,” said Trend Micro researcher Don Ovid Ladores, adding that the latest version of ViperSoftX scans for the presence of password managers KeePass 2 and 1Password.
As a mitigation, it is recommended that users download software only from official platforms and sources, and avoid downloading illegal software.
“Cybercriminals behind ViperSoftX are also skilled enough to execute seamless chains for malware execution while remaining under the radar of authorities by selecting the one of the most effective methods to deliver malware to consumers,” added Ovid Ladores.