ViperSoftX variant spotted abusing .NET runtime to disguise data theft

A rapidly-changing infostealer malware known as ViperSoftX has evolved to become more dangerous, according to security researchers at threat detection vendor Trellix.

ViperSoftX, first spotted in 2020, has recently reemerged with the ability to use the .NET Common Language Runtime (CLR) to obfuscate its use of PowerShell commands, wrote Trellix security scrutineers Mathanraj Thangaraju and Sijo Jacob. The pair suggest those commands are further disguised by hiding them within scripts generated by freeware program AutoIt.

The result is a seriously nasty piece of malware that manages to run PowerShell commands in a hidden environment.

CLR is also known as the .NET runtime, and allows software coded in various compatible languages to run as .NET apps as managed code.

"By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity," Thangaraju and Jacob said of the latest variant of the infostealer.

Microsoft didn't respond to questions for this story.

A well-hidden chain

Previously found hiding in cracked software and pirated apps, this latest CLR-capable version of ViperSoftX has instead been spotted among pirated eBooks being distributed over torrents.

While this might not seem like a huge risk to enterprises that block known pirating sites, the sample Trellix included in its report is from a bootleg copy of an Excel formula cookbook, suggesting professionals working in enterprise environments are being considered as targets.

Regardless of who its makers intends to infect, ViperSoftX has been developed to avoid notice while making off with system information, cryptocurrency wallet details (and the coins they contain), clipboard contents and other such data.

According to Trellix's examination of the malware's code, ViperSoftX buries command sequences in a series of fake JPG files that install AutoIt scripts, the AutoIt executable and PowerShell scripts. Those, in turn, set up a series of scheduled Windows tasks, some of which act to disable Windows security features like the Antimalware Scan Interface (AMSI), which checks all scripts before execution.

Other scripts used in the attack chain are further obfuscated, "making it challenging for security solutions" to identify what's actually going on, Trellix’s analysis states.

"In examining ViperSoftX, a clear pattern emerges: attackers use AutoIt scripts to hide their malicious actions," in an operation through which "AutoIt transcends its benign origins and becomes a potent weapon for secretly executing PowerShell commands."

• Houthi rebels are operating their own GuardZoo spyware
• Eldorado ransomware-as-a-service gang targets Linux, Windows systems
• Korean telco allegedly infected its P2P users with malware
• Baddies hijack Korean ERP vendor's update systems to spew malware

AutoIt is a freeware scripting language for automating Windows GUI actions and other scripting commands, and it isn't malicious in and of itself. AutoIt isn't the only legitimate tool that's been repurposed by ViperSoftX developers, either.

"ViperSoftX also employs a strategy where attackers selectively adapt components from offensive security scripts, modifying only the necessary elements," the duo noted.

"By leveraging these existing scripts, malware developers not only accelerate development but also focus on improving their evasion tactics, making ViperSoftX a formidable threat in the cybersecurity landscape."

It's not immediately clear if AutoIt's developers are aware of the misuse of their software or will be able to mitigate it with a patch; we asked but haven't heard back.

Thangaraju and Jacob suggested that ViperSoftX's capabilities suggest a new wave of sophisticated and agile malware threats is breaking. The pair suggest defending against this sort of weapon requires understanding the objective of malware like ViperSoftX.

Trellix, however, didn’t attribute the malware to any particular source, or respond to questions from The Register.

Previous reports on ViperSoftX have focused on its cryptocurrency-stealing features to suggest its objective was purely to do with monetary gain. Its latest obfuscation features, and at least partial targeting of professionals with bootleg eBook downloads, suggest ViperSoftX's goals could be evolving, just like its code.

Detection details are included in Trellix's report on this latest ViperSoftX variant, so be sure to review them accordingly. ®