Description
The ViperSoftX malware, making headlines in 2022 as a cryptocurrency stealer receives new updates where the malware targets passwords managers along with more sophisticated encryption techniques and evasion detections.
Details
VipersoftX is typically delivered through cracked software and activators, patchers or key generators (keygen). It can also be delivered through non-malicious software such as video editors and converters, coin miner applications and system cleaner applications. The malware is attached to these software as a package containing the carrier executable and the decryptor/loader DLL. The DLL loader decrypts and loads the ViperSoftX DLL which then checks the system for virtual machines (VMWare and VirtualBox), monitoring tools (specifically Process Monitor) and active antivirus products (specifically Windows Defender and ESET). If everything checks out, the DDL loader proceeds to download and decrypt the main ViperSoftX payload from two C2 servers (namely ahoravideo-schnellvpn.xyz and arrowlchat.com) in two stages.
ViperSoftX features a unique encryption technique called Byte remapping. This is a technique that rearranging the bytes in a file, and it can only be decrypted using the correct byte map which maps the correct byte in the correct location. ViperSoftX uses this technique to hide its code and protect against forced decryption. It was noted that each DLL loader for this malware has its own pair of executable and byte map and can only be used to decrypt its related ViperSoftX executable. Using an unrelatable DLL loader and ViperSoftX executable will result in an incorrectly rearranged shellcode and executable that does not work.
The latest iteration of ViperSoftX allows the malware to target much more cryptocurrency wallets. Additionally, researchers found that the malware now targets password managers and features a communication blocker for web browsers that helps to block C2 traffic. ViperSoftX now targets the following cryptocurrency wallets on compromised devices:
Armory |
Delta |
Atomic Wallet |
Electrum |
Binance |
Exodus |
Bitcoin |
Guarda |
Blockstream Green |
Jaxx Liberty |
Coinomi |
Ledger Live |
Trezor Bridge |
|
The password managers targeted by ViperSoftx are KeePass 2 and 1Password. Because of the malwares capability of scanning for KeePass passwords, researchers searched for the possible abuse of CVE-2023-24055 which is a KeePass vulnerability that forces the application to dump stored passwords in plain text. However, at the time no evidence shows the malware exploiting the CVE.
The researchers highlighted that the targets and victims of the malware reside on both the enterprise level and consumer level. Enterprise level saw businesses in India, Pakistan and the Philippines as the top three targeted countries. The consumer level saw majority of the victims targeted in Australia, Japan and the United States (See this image for reference).
Indicators of Compromise
For a list of IOCs including hashes of the malware and URLs of the detected C2 servers, please refer to the link below: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/d/vipersoftx-updates-encryption-steals-data/IOCs_ViperSoftX-updates-encryption-steals-data.txt
Remediation
ViperSoftX is delivered through illegal software and bonded to some non-malicious software. It is therefore recommended to:
Download software and applications from official platforms and sources.
Download alternative freeware solutions from reputable sources and platforms instead of downloading illegal software.
Have reputable security solutions in place that can detect and block malicious components in seemingly legitimate and non-malicious software and applications.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: ViperSoftX malware now targets password managers.pdf
References
Ladores, D. O. (2023, April 24). ViperSoftX Updates Encryption, Steals Data. Retrieved from TrendMicro. https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
Toulas, B. (2023, April 28). ViperSoftX info-stealing malware now targets password managers. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/vipersoftx-info-stealing-malware-now-targets-password-managers/