ViperSoftX Malware Spreads Through Cracked Software, Targeting Unsuspecting Users

AhnLab Security Intelligence Center (ASEC) has unearthed a complex cyber campaign in which attackers, suspected to be Arabic speakers, have been distributing ViperSoftX malware to unsuspecting Korean users.

This operation has employed cracked software and torrents as vectors for spreading this dangerous malware, which often disguises itself as legitimate programs.

The exact method through which ViperSoftX is initially distributed remains shadowy.

However, Arabic comments found within the PowerShell and VBS scripts used for Command and Control (C&C) communication suggest that the attackers are fluent in Arabic.

ViperSoftX has been known to masquerade as legitimate software, tricking users into downloading and installing it through fake programs or bundled with other software in torrents.

Operation and Secondary Payloads

The infection progresses as the PowerShell downloader fetches two sophisticated malware payloads: PureCrypter and Quasar RAT.

PureCrypter, a commercial .NET packer sold on underground forums since 2021, leverages Google’s Protocol Buffers (ProtoBuf) library for stealthy C&C communications.

It creates multiple executable files in the %ALLUSERSPROFILE% directory with names like “nvidia.exe” and “teamviewer.exe” to appear legitimate.

If found, it executes this file, which has the following responsibilities:

The final payload, Quasar RAT, is an open-source remote access tool that provides attackers with comprehensive control capabilities including keylogging, remote command execution, and file transfers.

Quasar establishes persistence with filenames like “winrar.exe” and “micro.exe” to evade detection through disguise as legitimate software.

“This campaign demonstrates sophisticated techniques to bypass security controls and maintain persistence,” noted ASEC researchers. “The use of multiple scripting stages and commercial malware tools indicates a well-resourced threat actor.”

Command and Control Infrastructure

The attackers are known to utilize IP addresses for communication and control:

IP Addresses:

• 89.117.79.31: Used for initial communication, observed with ports 56005, 56004, and 56003.
• 65.109.29.234: Observed with port 7702 for Quasar RAT communication.

Indicators of Compromise (IoCs)

Several Indicators of Compromise (IoCs) have been established for this campaign:

• MD5 Hashes:
  • 05cbfc994e6f084f536cdcf3f93e476f
  • 4c6daef71ae1db6c6e790fca5974f1ca
  • 70e51709238385fd30ab427eb82e0836
  • 7d937e196962e3ebbbdee6d3a002f0cf
  • e5d6c58d17ebce8b0e7e089dfc60ff1a
• IP Addresses:
  • 136.243.132.112: Possible C&C address
  • 65.109.29.234: C&C for Quasar RAT
  • 89.117.79.31: Primary C&C address

Monitoring these IPs and hashes provides the opportunity to identify and block the campaign at various stages.

To mitigate the risk of becoming a victim to such campaigns:

• Avoid downloading software from unverified sources like torrent sites.
• Use legitimate software acquisition methods.
• Keep antivirus solutions updated and configured to scan downloads and installations.
• Enable real-time protection and employ heuristic scanning to better detect previously unknown malware.

ASEC is actively monitoring this evolving threat and has already shared the above IoCs with the cybersecurity community to aid in defense measures.

Users are encouraged to stay informed and adopt stringent cybersecurity practices to prevent infection.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!