Korean cybersecurity researchers have uncovered a complicated malware marketing campaign focusing on cryptocurrency customers worldwide, with ViperSoftX rising as a persistent menace that continues to evolve its assault methodologies.
First recognized by Fortinet in 2020, this malware has demonstrated exceptional longevity and adaptableness, persistently updating its methods to bypass safety measures whereas sustaining its core goal of stealing digital property and delicate data from contaminated programs.
The malware primarily spreads by way of misleading distribution channels, masquerading as cracked software program, key mills for legit purposes, and even eBooks distributed by way of torrent websites.
This distribution technique exploits customers’ want totally free software program, turning their belief right into a vulnerability that menace actors readily exploit.
The marketing campaign has proven specific effectiveness in focusing on customers who obtain unlawful software program duplicates, making it one of many major preliminary entry ways noticed alongside poorly managed service exploits and malicious e-mail attachments.
ASEC analysts recognized that ViperSoftX operators have considerably expanded their arsenal past easy cryptocurrency theft, now deploying further malware households together with Quasar RAT for distant entry, PureCrypter as an executable loader, and PureHVNC for complete system management.
The researchers famous that whereas the menace actors usually are not particularly focusing on South Korea, the widespread use of cracked software program distribution strategies has resulted in quite a few confirmed an infection instances throughout the area, highlighting the worldwide attain of this marketing campaign.
Flowchart (Supply – ASEC)
The malware’s affect extends past particular person cryptocurrency theft, because it establishes persistent backdoors that enable menace actors to execute arbitrary instructions, obtain further payloads, and keep long-term entry to compromised programs.
This creates a cascading safety threat the place preliminary cryptocurrency-focused assaults can evolve into complete information breaches and system compromises affecting each particular person customers and probably their organizational networks.
Superior Persistence Mechanisms and System Integration
ViperSoftX demonstrates subtle persistence capabilities by way of its strategic use of Home windows Process Scheduler, implementing a number of registration strategies to make sure continued execution even after system reboots.
The malware employs a minimum of two distinct persistence methods, every designed to evade detection whereas sustaining dependable command and management communication with its operators.
The first persistence technique includes creating scheduled duties that execute malicious PowerShell scripts by way of VBScript instructions.
These duties are programmed to learn particular byte sequences from seemingly legit log information, which really comprise Base64-encrypted PowerShell code embedded at predetermined offsets.
The malware reads precisely 0x1A6 bytes from offset 0x1F843C of the goal file, decrypts this information into Base64 format, and executes it as a PowerShell downloader.
This method demonstrates the malware’s potential to cover its payload inside apparently innocuous system information, making detection considerably more difficult for conventional safety instruments.
001F8440 62 47 55 67 4B 43 52 30 63 6E 56 6C 4B 53 42 37
001F8450 44 51 6F 67 49 43 41 67 64 48 4A 35 49 48 73 4E DQogICAgdHJ5IHSN
001F8460 43 69 41 67 49 43 41 67 49 43 41 67 4A 48 49 67 CiAgICAgICAgJHIg
001F8470 50 53 42 4A 62 6E 5A 76 61 32 55 74 55 6D 56 7A PSBJbnZva2UtUmVz
Powershell script encrypted with Base64 (Supply – ASEC)
The encrypted PowerShell script demonstrates the malware’s subtle obfuscation methods, embedding executable code inside what seems to be error message textual content.
The secondary persistence mechanism makes use of registry-based storage, the place PowerShell scripts are positioned within the %SystemDirectory% path and configured to learn encrypted instructions from particular registry keys akin to “HKLMSOFTWAREHPgs6ZtP670 / xr417LXh.”
This dual-layered method ensures that even when one persistence technique is detected and eliminated, the malware can proceed working by way of its backup channels, sustaining its foothold on compromised programs whereas downloading further payloads and executing menace actor instructions.
Pace up and enrich menace investigations with Menace Intelligence Lookup! -> 50 trial search requests
