ViperSoftX is now using the Tesseract OCR engine to read images on infected systems and exfiltrate those that contain sensitive data such as passwords or cryptocurrency wallet information. This deep-learning based approach extends the malware’s data-stealing capabilities and is tied to ongoing use of ViperSoftX to install additional payloads like Quasar RAT and TesseractStealer. Hashtags: #ViperSoftX #TesseractStealer #QuasarRAT #VenomSoftX
Keypoints
- ViperSoftX’s latest activity integrates Tesseract OCR to extract text from images and determine if they contain passwords or wallet data before exfiltration.
- A dropper named “win32.exe” updates ViperSoftX by embedding additional payloads (Svchost.exe and System32.exe) and schedules a PowerShell script (update.ps1) via Task Scheduler.
- update.ps1 generates the actual ViperSoftX PowerShell script and registers it in Task Scheduler, creating tasks like “Check system” and “Chromeniumscrypt” to run update.ps1.
- PowerShell-based delivery and VenomSoftX scripts are used to download and install additional components, with persistence via Task Scheduler.
- ViperSoftX is deployed to install Quasar RAT, which in some campaigns uses Tor as a proxy to reach C2 servers.
- TesseractStealer uses Tesseract to locate image files (.png, .jpg, .jpeg), extract strings, and exfiltrate images when strings indicate sensitive data such as seed phrases or wallet passwords.
MITRE Techniques
- [T1105] Ingress Tool Transfer – PowerShell scripts that download and execute external commands. ‘There are PowerShell scripts that download and execute external commands and VenomSoftX PowerShell scripts responsible for installing browser extension malware strains.’
- [T1059.001] PowerShell – PowerShell scripts responsible for installing browser extension malware strains. ‘There are PowerShell scripts that download and execute external commands and VenomSoftX PowerShell scripts responsible for installing browser extension malware strains.’
- [T1090] Proxy – Quasar RAT uses Tor as a proxy to communicate with the C2 server. ‘The malware installs the Tor web browser and then uses it as a proxy server to communicate with the C&C server.’
- [T1083] File and Directory Discovery – TesseractStealer finds image files (.png, .jpg, .jpeg) excluding ‘editor’ directories. ‘It finds the image files existing in the system, specifically “.png”, “.jpg”, and “.jpeg” files, excluding those located in the “editor” directory.’
- [T1132.001] Data Encoding – The User-Agent string is encoded with Base64. ‘encrypting the User-Agent containing this information with the Base64 algorithm’
- [T1041] Exfiltration Over C2 Channel – The malware transmits information about the infected system and cryptocurrency data. ‘transmits information about the infected system such as computer names, user names, installed security products, and cryptocurrency-related data.’
- [T1053.005] Scheduled Task – The dropper registers update.ps1 in the Task Scheduler to persist. ‘registers a PowerShell script named “update.ps1” in the Task Scheduler.’
Indicators of Compromise
- [MD5] context – f9bb6ef02f29f52ff126279ff7d044bb, bdd3d30ea4bc94d1240ea75f1aa212eb, and 2 more hashes
- [URL] context – https://www.uplooder[.]net/f/tl/92/fd73d54c0013b987b9f3b66d839975d9/csrss.exe: Quasar RAT, and 3 more URLs
- [Domain] context – mysystemes[.]com:80/connect, xboxwindows[.]com/api/v1/, and 3 more domains
- [Domain] context – bideo.duckdns[.]org:15, mvps-remote.duckdns[.]org:103, youtubevideos.duckdns[.]org:5
- [Onion] context – x75tjpwatl2uyunijiq6jwqhlar3j5fkpi5optv7tfreijbpylwnnbqd[.]onion
- [URL] context – hxxps://22.rooz2024.workers[.]dev: Quasar RAT (July 2023), and 1 more onion-related URL
- [Filename] context – microsoft.exe, csrss.exe, and 1 more
Read more: https://asec.ahnlab.com/en/65426/