Full Report
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the ViperSoftX attacker is continuously distributing malware to users in Korea. ViperSoftX is a type of malware that resides in infected systems and is responsible for executing threat actors’ commands and stealing cryptocurrencies. ASEC previously published an analysis of a ViperSoftX attack case in May 2024, which […]
Analysis Summary
# Tool/Technique: ViperSoftX
## Overview
ViperSoftX is a persistent malware family initially observed in 2020, primarily distributed by disguising itself as cracked software, key generators, or, more recently, as eBooks via torrent sites. Its primary goal is to establish remote access, execute attacker commands, and steal cryptocurrencies from infected systems, particularly targeting users in Korea, though its distribution method affects victims globally.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by use of PowerShell, VBS, and Windows Registry/Task Scheduler)
- Capabilities: Persistent execution via Task Scheduler, downloading secondary payloads via obfuscated PowerShell scripts, C2 communication, clipboard monitoring (ClipBanking), and deploying RATs/Remote Access tools.
- First Seen: 2020
## MITRE ATT&CK Mapping
Since ViperSoftX is a comprehensive framework involving multiple stages, the mappings cover key observed behaviors:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- **Initial Infection:** Disguised as pirated software/keygens or eBooks distributed via suspicious websites or torrents.
- **Persistence:** Establishes persistence primarily through the Windows Task Scheduler, often utilizing VBS commands or obfuscated PowerShell scripts to maintain access across reboots.
- **Payload Delivery:** Uses PowerShell scripts as downloaders (sometimes exploiting DNS TXT records for C2 communication) to fetch and execute subsequent malware stages, including PureCrypter and Quasar RAT.
- **C2 Communication:** Communicates system information (version, GUID, computer name, user name, OS version, architecture, AV info) to the C2 server via HTTP headers ("X-User-Agent," "X-get," "X-notify").
### Advanced Features
- **ClipBanker Functionality:** Monitors the clipboard for cryptocurrency wallet addresses. If detected, it replaces the legitimate address with the threat actor's wallet address.
- **Clipboard Protection:** Implements a mechanism (`ClipboardProtect.ps1` in %TEMP%) to inspect running processes for legitimacy (signed certificates, specific paths) to guard against other ClipBanker malware.
- **Modular Deployment:** Installs various remote access and information-stealing modules over time, including Quasar RAT, TesseractStealer, PureCrypter (loader), and PureHVNC (remote control malware).
- **Decryption:** Uses Base64 decoding and a custom `DFC()` function to decrypt payloads received from C&C servers.
## Indicators of Compromise
- File Hashes:
- MD5: `064b1e45016e8a49eba01878e41ecc37`, `0ed2d0579b60d9e923b439d8e74b53e1`, `0efe1a5d5f4066b7e9755ad89ee9470c`, `197ff9252dd5273e3e77ee07b37fd4dd`, `1ec4b69f3194bd647639e6b0fa5c7bb5`
- File Names: `ut.exe`, `3.exe`, `APPDATA.exe`, `a.ps1`, `firefoxtemp.exe` (all examples listed in context for secondary payloads)
- Registry Keys: `HKLM\SOFTWARE\HPgs6ZtP670 / xr417LXh` (Used by one persistence mechanism to store and execute a PowerShell command)
- Network Indicators:
- http://136[.]243[.]132[.]112/ut[.]exe
- http://136[.]243[.]132[.]112:881/3[.]exe
- http://136[.]243[.]132[.]112:881/APPDATA[.]exe
- http://136[.]243[.]132[.]112:881/a[.]ps1
- http://136[.]243[.]132[.]112:881/firefoxtemp[.]exe
- IP Addresses: `136[.]243[.]132[.]112`, `160[.]191[.]77[.]89`, `185[.]245[.]183[.]74`, `212[.]56[.]35[.]232`, `89[.]117[.]79[.]31`
- DNS Query Example: `wmail-blog[.]com`
- Behavioral Indicators: Use of C2 communication via HTTP headers (specifically `X-User-Agent` containing system details and version "O_143"), decryption of embedded Base64 scripts within specific file offsets, creation of PowerShell scripts in `%TEMP%` for clipboard monitoring.
## Associated Threat Actors
- ViperSoftX attacker (Specific group name not provided in the context, but actively pursuing cryptocurrency users).
## Detection Methods
- Signature-based detection: Based on provided file hashes.
- Behavioral detection: Monitoring for the creation of scheduled tasks containing VBS or obfuscated PowerShell commands, processes reading specific offsets in executables, or suspicious network communication using custom HTTP header fields for data exfiltration.
- YARA rules: Not explicitly provided, but signature creation should target the PowerShell obfuscation patterns and the known file hashes.
## Mitigation Strategies
- Avoid installing software from suspicious websites, file-sharing sites, or torrents, especially cracked software or key generators.
- Ensure the operating system and all installed software receive the latest security patches.
- Keep endpoint security products (like AhnLab V3) up to date to block known malware signatures and behaviors.
- Monitor Task Scheduler for newly created anomalous or hidden tasks.
- Implement policies to restrict or monitor PowerShell script execution, particularly unsigned scripts.
## Related Tools/Techniques
- Quasar RAT (Remote Access Trojan)
- TesseractStealer (Uses Tesseract OCR engine)
- PureCrypter (Executable loader)
- PureHVNC (Remote control malware)
- ClipBanker-type malware (Sharing the functionality of wallet address replacement)