Experts warn about a malicious extension for Google Chrome called "VenomSoftX". By installing this addon, users run the risk that the contents of their clipboard in Windows will fall into the hands of intruders.
In fact, VenomSoftX is one of the components of a malicious program for Windows-ViperSoftX. This malware is based on JavaScript and is a Trojan designed for remote access and theft of cryptocurrencies.
ViperSoftX has been known since 2020, and was previously described by a number of researchers, including Fortinet specialists. In a new report by the Czech antivirus company Avast, experts reveal more information about the malware's functionality and the role of the VenomSoftX extension.
Since the beginning of 2022, Avast has recorded and stopped 93,000 attempts to infect ViperSoftX. Most of the affected users were located in the United States, Italy, Brazil, and India. The geography of the cyber campaign looks like this:
The main distribution channel for ViperSoftX is torrent files with" cracks " for games and paid software activators. The attackers ' cryptographic wallet addresses are hard-coded in the ViperSoftX and VenomSoftX samples. In total, there were two such wallets, at the time of November 8, 2022, 130 thousand dollars were stored in them.
A key feature of ViperSoftX is the installation of the VenomSoftX addon for Chrome, Brave, Edge, and Opera browsers. The extension is disguised as the supposedly useful “Google Sheets 2.1 " app.
"VenomSoftX's mission is to steal the victim's digital currency. It does this by intercepting API requests," Avast experts write.
Moreover, the malicious extension can also modify the HTML code on websites and redirect payments in cryptocurrency to the operators wallets. In addition to the currency itself, the malware can easily pull out user passwords.
-----------
The previously popular cryptocurrency thief has become even more dangerous, significantly expanding its activity profile.
A few days ago, Trend Micro researchers published a fairly detailed report on a new version of the ViperSoftX malware, which now targets even more cryptocurrency wallets than before. In addition, the malware now targets popular password managers as well. The latest version of the infostealer also features stronger code encryption and features that avoid detection by security software.
ViperSoftX is an information theft malware that steals various data from infected computers. The malware was first documented in 2020 as a JavaScript-based remote access Trojan (RAT) capable of stealing the cryptocurrency of its victims.
From earlier research by cybersecurity experts, it is known that the malware is capable of installing a malicious extension called VenomSoftX in Chromium-based browsers. However, in the latest version of the infostiler analyzed by Trend Micro, the target browsers now also include Brave, Edge, Opera, and Firefox.
Previously, Avast researchers stated that in the period from January to November 2022, they detected and stopped about 90 thousand attacks on their customers living mainly in the United States, Italy, Brazil and India. But this week, Trend Micro specialists reported that ViperSoftX is aimed at both the consumer and corporate sectors. Moreover, Australia, Japan, the United States, India, Taiwan, Malaysia, France and Italy account for more than 50% of the detected malicious activity.
According to analysts, malware is usually distributed in the form of software "cracks", activators or key generators hidden in software that usually looks harmless.
In a version documented by Avast in November, VenomSoftX targeted Blockchain, Binance, Kraken, eToro, Coinbase, Gate.io and Kucoin. However, in the latest version, Trend Micro noticed an extended functionality that can also steal cryptocurrency from the following wallets: Armory, Atomic Wallet, Binance, Bitcoin, Blockstream Green, Coinomi, Delta, Electrum, Exodus, Guarda, Jaxx Liberty, Ledger Live, Trezor Bridge, Coin98, Coinbase, MetaMask, Enkrypt.
What's particularly interesting is that ViperSoftX now checks files associated with two popular password managers, namely 1Password and KeePass, in an attempt to steal data stored in the browser extensions of these services.
The new version of ViperSoftX also includes several anti-detection and stealth features. For example, the currently popular DLL Sideloading method for performing malicious activity in the context of a trusted process.
Another recent version of the malware uses "byte mapping" to encrypt its code and redistributes the location of shellcode bytes to make decryption and analysis without a proper byte map (Bytemap) much more difficult and time-consuming.
Finally, ViperSoftX now offers a new communication blocker in web browsers, which makes it more difficult to analyze the C2 infrastructure and detect malicious traffic.
As you can see, the software is actively developing, significantly expanding its functionality and scope with each new update. Although Russia is not listed in the list of victims of the malware, you should still be safe once again and at least not download suspicious files from little-known sites in order to avoid possible infection with this or other malicious software.
-------
In its report, South Korea's AhnLab uncovered new versions of the ViperSoftX RAT with the open-source OCR engine Tesseract for extracting text from images on an infected host using deep learning methods.
Attackers traditionally use ViperSoftX, which was first discovered by Fortinet in 2020 and has been circulating for several years, to introduce various strains of malware, prime examples of which are Quasar RAT and TesseractStealer.
In 2022, Avast reported on ViperSoftX activity when PowerShell scripts were used instead of JavaScript, expanding the capabilities with the addition of features such as changing the clipboard, installing additional payloads, and stealing crypto wallet addresses.
In addition, the malware used VenomSoftX to install malicious extensions in Chrome-based web browsers in order to steal information.
The TrendMicro report for 2023 reviewed new methods for distributing ViperSoftX and focused on the implementation of checks for the presence of installed password managers compared to previous versions.
The recently spotted ViperSoftX is similar to the one disclosed by Fortinet, but has differences: User-Agent encryption using the Base64 algorithm and using the Welcome_2025 keyword instead of viperSoftx.
As for additional malware, the researchers note that since March 2024, numerous cases of installing Quasar RAT targeting a wide range of victims at the same time have been consistently observed on a large number of systems.
Moreover, most of the Quasar rats seen in attacks do not have significant distinguishing features, but recently cases of using Tor to interact with the Onion C2 domain have been identified.
In addition to Quasar RAT, the observed attack included the TesseractStealer malware, which reads images in infected systems and uses Tesseract to extract text that looks like cryptocurrency addresses, initial phrases or passwords, sending them from to C2.
TesseractStealer first creates the Tesseract library files (tesseract50.dll) and Leptonica (leptonica-1.82.0.dll), as well as a training data file (eng. traineddata) along with a font file (pdf. ttf).
Then it finds files with the extensions ".png", ".jpg" and ".jpeg" in the system, except for those located in the editor directory. Then, using the installed library, Tesseract extracts strings from each image.
Verification reveals links to OTPs, passwords required for recovery, crypto wallet addresses, and other similar data, clearly targeting victims ' digital assets. After that, the desired images are sent to C2.
The full set of IOCs, including a list of search phrases, can be found in the AhnLab report.
In fact, VenomSoftX is one of the components of a malicious program for Windows-ViperSoftX. This malware is based on JavaScript and is a Trojan designed for remote access and theft of cryptocurrencies.
ViperSoftX has been known since 2020, and was previously described by a number of researchers, including Fortinet specialists. In a new report by the Czech antivirus company Avast, experts reveal more information about the malware's functionality and the role of the VenomSoftX extension.
Since the beginning of 2022, Avast has recorded and stopped 93,000 attempts to infect ViperSoftX. Most of the affected users were located in the United States, Italy, Brazil, and India. The geography of the cyber campaign looks like this:
The main distribution channel for ViperSoftX is torrent files with" cracks " for games and paid software activators. The attackers ' cryptographic wallet addresses are hard-coded in the ViperSoftX and VenomSoftX samples. In total, there were two such wallets, at the time of November 8, 2022, 130 thousand dollars were stored in them.
A key feature of ViperSoftX is the installation of the VenomSoftX addon for Chrome, Brave, Edge, and Opera browsers. The extension is disguised as the supposedly useful “Google Sheets 2.1 " app.
"VenomSoftX's mission is to steal the victim's digital currency. It does this by intercepting API requests," Avast experts write.
Moreover, the malicious extension can also modify the HTML code on websites and redirect payments in cryptocurrency to the operators wallets. In addition to the currency itself, the malware can easily pull out user passwords.
-----------
The previously popular cryptocurrency thief has become even more dangerous, significantly expanding its activity profile.
A few days ago, Trend Micro researchers published a fairly detailed report on a new version of the ViperSoftX malware, which now targets even more cryptocurrency wallets than before. In addition, the malware now targets popular password managers as well. The latest version of the infostealer also features stronger code encryption and features that avoid detection by security software.
ViperSoftX is an information theft malware that steals various data from infected computers. The malware was first documented in 2020 as a JavaScript-based remote access Trojan (RAT) capable of stealing the cryptocurrency of its victims.
From earlier research by cybersecurity experts, it is known that the malware is capable of installing a malicious extension called VenomSoftX in Chromium-based browsers. However, in the latest version of the infostiler analyzed by Trend Micro, the target browsers now also include Brave, Edge, Opera, and Firefox.
Previously, Avast researchers stated that in the period from January to November 2022, they detected and stopped about 90 thousand attacks on their customers living mainly in the United States, Italy, Brazil and India. But this week, Trend Micro specialists reported that ViperSoftX is aimed at both the consumer and corporate sectors. Moreover, Australia, Japan, the United States, India, Taiwan, Malaysia, France and Italy account for more than 50% of the detected malicious activity.
According to analysts, malware is usually distributed in the form of software "cracks", activators or key generators hidden in software that usually looks harmless.
In a version documented by Avast in November, VenomSoftX targeted Blockchain, Binance, Kraken, eToro, Coinbase, Gate.io and Kucoin. However, in the latest version, Trend Micro noticed an extended functionality that can also steal cryptocurrency from the following wallets: Armory, Atomic Wallet, Binance, Bitcoin, Blockstream Green, Coinomi, Delta, Electrum, Exodus, Guarda, Jaxx Liberty, Ledger Live, Trezor Bridge, Coin98, Coinbase, MetaMask, Enkrypt.
What's particularly interesting is that ViperSoftX now checks files associated with two popular password managers, namely 1Password and KeePass, in an attempt to steal data stored in the browser extensions of these services.
The new version of ViperSoftX also includes several anti-detection and stealth features. For example, the currently popular DLL Sideloading method for performing malicious activity in the context of a trusted process.
Another recent version of the malware uses "byte mapping" to encrypt its code and redistributes the location of shellcode bytes to make decryption and analysis without a proper byte map (Bytemap) much more difficult and time-consuming.
Finally, ViperSoftX now offers a new communication blocker in web browsers, which makes it more difficult to analyze the C2 infrastructure and detect malicious traffic.
As you can see, the software is actively developing, significantly expanding its functionality and scope with each new update. Although Russia is not listed in the list of victims of the malware, you should still be safe once again and at least not download suspicious files from little-known sites in order to avoid possible infection with this or other malicious software.
-------
In its report, South Korea's AhnLab uncovered new versions of the ViperSoftX RAT with the open-source OCR engine Tesseract for extracting text from images on an infected host using deep learning methods.
Attackers traditionally use ViperSoftX, which was first discovered by Fortinet in 2020 and has been circulating for several years, to introduce various strains of malware, prime examples of which are Quasar RAT and TesseractStealer.
In 2022, Avast reported on ViperSoftX activity when PowerShell scripts were used instead of JavaScript, expanding the capabilities with the addition of features such as changing the clipboard, installing additional payloads, and stealing crypto wallet addresses.
In addition, the malware used VenomSoftX to install malicious extensions in Chrome-based web browsers in order to steal information.
The TrendMicro report for 2023 reviewed new methods for distributing ViperSoftX and focused on the implementation of checks for the presence of installed password managers compared to previous versions.
The recently spotted ViperSoftX is similar to the one disclosed by Fortinet, but has differences: User-Agent encryption using the Base64 algorithm and using the Welcome_2025 keyword instead of viperSoftx.
As for additional malware, the researchers note that since March 2024, numerous cases of installing Quasar RAT targeting a wide range of victims at the same time have been consistently observed on a large number of systems.
Moreover, most of the Quasar rats seen in attacks do not have significant distinguishing features, but recently cases of using Tor to interact with the Onion C2 domain have been identified.
In addition to Quasar RAT, the observed attack included the TesseractStealer malware, which reads images in infected systems and uses Tesseract to extract text that looks like cryptocurrency addresses, initial phrases or passwords, sending them from to C2.
TesseractStealer first creates the Tesseract library files (tesseract50.dll) and Leptonica (leptonica-1.82.0.dll), as well as a training data file (eng. traineddata) along with a font file (pdf. ttf).
Then it finds files with the extensions ".png", ".jpg" and ".jpeg" in the system, except for those located in the editor directory. Then, using the installed library, Tesseract extracts strings from each image.
Verification reveals links to OTPs, passwords required for recovery, crypto wallet addresses, and other similar data, clearly targeting victims ' digital assets. After that, the desired images are sent to C2.
The full set of IOCs, including a list of search phrases, can be found in the AhnLab report.
