Threat Research

ViperSoftX Updates Encryption, Steals Data

Securonix

Trend Micro details a new ViperSoftX campaign that hides its loader in illicit software packages and uses DLL sideloading, advanced encryption, and anti-analysis techniques to steal cryptocurrency wallets and passwords. The operation targets both consumers and enterprises, with monthly changing C2 domains and checks to evade virtualization, monitoring tools, and antivirus. #ViperSoftX #KeePass

Keypoints

  • ViperSoftX arrives via cracked software, activators, patches, or keygens, using these as carriers for the malicious payload.
  • DLL sideloading is used for arrival and execution, incorporating a loader/DLL strategy rather than a single binary.
  • The malware employs a sophisticated byte remapping encryption method to hinder decryption without the correct byte map.
  • It performs virtualization/sandbox checks and anti-analysis steps (e.g., probing for VM strings, procmon, and antivirus products) before proceeding.
  • PowerShell is used as a downloader to fetch and execute the main ViperSoftX routine after initial checks.
  • Wallet discovery is performed by scanning local directories and browser extensions for cryptocurrency wallets and password managers (KeePass, 1Password).
  • C2 infrastructure changes monthly, including domain-based controls and a domain-generation approach to hide traffic.

MITRE Techniques

  • [T1574.001] DLL search order hijacking – DLL sideloading used for arrival and execution. ‘the use of DLL sideloading for its arrival and execution technique.’
  • [T1059.001] PowerShell – PowerShell-based downloader used to retrieve and deploy the main payload. ‘decrypt the PowerShell code and starts downloading the main ViperSoftX routine.’
  • [T1027] Obfuscated/Compressed Files and Information – Byte remapping to hide shellcode; encrypted payload requires correct byte map. ‘Byte remapping to ensure that the shellcode cannot be easily decrypted without the correct byte map.’
  • [T1497] Virtualization/Sandbox Evasion – Checks for virtualization strings and monitoring tools before execution. ‘ViperSoftX first checks for a few virtualization strings and monitoring tools to check if the system is running a virtual machine (VM)…’
  • [T1047] Windows Management Instrumentation – Uses WQL to query system information as part of checks. ‘Using WQL command SELECT Manufacturer, Model FROM Win32_ComputerSystem to query ROOTCIMV2.’
  • [T1083] File and Directory Discovery – Scans for cryptocurrency wallets in local directories. ‘scans for these cryptocurrency wallets in local directories:’
  • [T1555.003] Credentials in Password Stores – Checks for KeePass and 1Password password managers. ‘The updated version of ViperSoftX includes a check mechanism for two password managers, namely KeePass 2 and 1Password.’

Indicators of Compromise

  • [Domain] C2 domains – chatgigi2[.]com, arrowlchat[.]com, and 1 other domain (static-cdn-349[.]net)
  • [File] Carrier executables – gup.exe (Notepad++), firefox.exe (Tor), ErrorReportClient.exe (Magix) — and 1 more

Read more: https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint