AhnLab Security Intelligence Center identified that attackers, believed to be Arabic speakers, have been deploying ViperSoftX malware against Korean victims since April 1, 2025. ViperSoftX is primarily spread through cracked software or torrents and functions as a PowerShell script. The malware’s communication with its command and control (C&C) server includes specific parameters, and it downloads additional malicious payloads like PureCrypter and Quasar RAT. Affected: Korean victims, software distribution platforms, computer security.
Keypoints :
- Attackers suspected to be Arabic speakers distributing ViperSoftX malware.
- Initial attacks started on April 1, 2025, targeting Korean victims.
- ViperSoftX is spread via cracked software and torrents, disguised as legitimate applications.
- Malware operates primarily as a PowerShell script for C&C communication.
- Arabic comments found in the code suggest the attackers’ language background.
- ViperSoftX downloads additional malware like PureCrypter and Quasar RAT.
- Notable features of the VBS and PowerShell downloaders include creating directories, checking for admin privileges, and bypassing Windows Defender.
- ASEC urges users to avoid cracked software and use legitimate programs to prevent infections.
MITRE Techniques :
- Command and Control (T1071): ViperSoftX uses C&C communication with specific URI paths for data exchange.
- PowerShell (T1086): Utilizes PowerShell scripts for executing various malicious tasks including launching additional malware.
- Remote File Copy (T1105): Downloads files such as VBS and PowerShell scripts from a remote server.
- Process Injection (T1055): The scripts are designed to execute additional payloads like PureCrypter and Quasar RAT.
- Privilege Escalation (T1068): Ensures the malware operates with administrator privileges to avoid detection.
Indicator of Compromise :
- [IP] 136.243.132.112
- [IP] 65.109.29.234
- [IP] 89.117.79.31
- [MD5] 05cbfc994e6f084f536cdcf3f93e476f
- [MD5] 4c6daef71ae1db6c6e790fca5974f1ca
Full Story: https://asec.ahnlab.com/en/87398/
Views: 31