Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,208
- Points
- 113
Cyber scammers have mastered an unexpected malware delivery channel.
Security researchers at Trellix have discovered that the ViperSoftX malware is now being distributed through e-books downloaded from pirated torrent sites. This complex malicious program uses .NET Common Language Runtime (CLR) for dynamically loading and executing commands, creating a PowerShell environment inside AutoIt.
Trellix experts note that using the CLR allows ViperSoftX to integrate PowerShell functionality, executing malicious functions and avoiding detection by security mechanisms that might notice individual PowerShell activity.
ViperSoftX was first identified by Fortinet in 2020 and has been continuously improved since then, remaining invisible and bypassing security measures. In April 2023, Trend Micro experts documented the sophisticated anti-analysis techniques used by this malware, such as byte re-matching and blocking web browser communication.
In May 2024, hackers actively used ViperSoftX to distribute other malicious programs, such as Quasar RAT and TesseractStealer. Hacked software and torrent sites were used for this, but the new approach with e-book lures came as a surprise to researchers.
Inside the RAR archive with the supposed e-book is a hidden folder and a malicious Windows shortcut disguised as a harmless document (actually, an e-book). Running the shortcut initiates a multi-step infection sequence, starting with extracting the PowerShell code that reveals the hidden folder and sets up persistence on the system. Then an AutoIt script is run that interacts with .NET CLR for decrypting and running the secondary PowerShell script, which is the ViperSoftX program.
ViperSoftX collects information about the system, scans cryptocurrency wallets through browser extensions, captures clipboard contents, and downloads additional payloads and commands based on responses from the remote server. It also has self-deletion mechanisms to make it harder to detect.
One of the key features of ViperSoftX is its ability to use the CLR to manage PowerShell operations in the AutoIt environment, which allows the program to execute malicious functions while avoiding standard detection mechanisms. In addition, ViperSoftX can bypass traditional security measures by modifying the Anti-virus Scanning Interface (AMSI) before executing PowerShell scripts.
To sum up, it's worth remembering that free cheese only happens in a mousetrap, and the pursuit of pirated content can lead to disastrous consequences for the security of your device and personal data. It is important to maintain digital hygiene, use only verified sources, and regularly update security tools to avoid falling victim to increasingly sophisticated cybercriminal methods.
Source
Security researchers at Trellix have discovered that the ViperSoftX malware is now being distributed through e-books downloaded from pirated torrent sites. This complex malicious program uses .NET Common Language Runtime (CLR) for dynamically loading and executing commands, creating a PowerShell environment inside AutoIt.
Trellix experts note that using the CLR allows ViperSoftX to integrate PowerShell functionality, executing malicious functions and avoiding detection by security mechanisms that might notice individual PowerShell activity.
ViperSoftX was first identified by Fortinet in 2020 and has been continuously improved since then, remaining invisible and bypassing security measures. In April 2023, Trend Micro experts documented the sophisticated anti-analysis techniques used by this malware, such as byte re-matching and blocking web browser communication.
In May 2024, hackers actively used ViperSoftX to distribute other malicious programs, such as Quasar RAT and TesseractStealer. Hacked software and torrent sites were used for this, but the new approach with e-book lures came as a surprise to researchers.
Inside the RAR archive with the supposed e-book is a hidden folder and a malicious Windows shortcut disguised as a harmless document (actually, an e-book). Running the shortcut initiates a multi-step infection sequence, starting with extracting the PowerShell code that reveals the hidden folder and sets up persistence on the system. Then an AutoIt script is run that interacts with .NET CLR for decrypting and running the secondary PowerShell script, which is the ViperSoftX program.
ViperSoftX collects information about the system, scans cryptocurrency wallets through browser extensions, captures clipboard contents, and downloads additional payloads and commands based on responses from the remote server. It also has self-deletion mechanisms to make it harder to detect.
One of the key features of ViperSoftX is its ability to use the CLR to manage PowerShell operations in the AutoIt environment, which allows the program to execute malicious functions while avoiding standard detection mechanisms. In addition, ViperSoftX can bypass traditional security measures by modifying the Anti-virus Scanning Interface (AMSI) before executing PowerShell scripts.
To sum up, it's worth remembering that free cheese only happens in a mousetrap, and the pursuit of pirated content can lead to disastrous consequences for the security of your device and personal data. It is important to maintain digital hygiene, use only verified sources, and regularly update security tools to avoid falling victim to increasingly sophisticated cybercriminal methods.
Source
