Charming Viper, Vanishing Crypto
Have you heard of Vipersotfx, the Info-Stealer which stole more than $2.5 million worth of cryptocurrency? Vipersotfx has updated its TTPs in its recent campaign, and the changes warrant exploration. This Info-Stealer emerged in early 2020 as a javascript-based RAT dubbed as Vipersoftx, and has been updating its TTPs on a regular basis to steal cryptocurrency and credentials, whilst also connecting back to its C2 to download additional payloads.
Vipersoftx has evolved from being a clipboard hijacker to a user-credential stealer, also swiping cryptocurrency, and has upgraded its C2 communication methods as part of its arsenal. Over the years, Vipersoftx has typically spread via pirated software to install malicious browser extensions named Venomsoftx for Chromium-based browsers. This swaps the cryptocurrency wallet addresses by tampering with the API request whenever a user interacts with a cryptocurrency website.
Last year it abused DLL-search-order to side-load a malicious DLL that decrypts a shellcode using byte-mapping to get to the next stage. This done, along with a few anti-VM and anti-monitoring checks, it then downloads and executes a PowerShell script to get the final payload of Vipersoftx. This time, however, in addition to browser hijacking it also tries to extract passwords from a couple of password managers and uses a C2 server protected by being hidden behind a DGA.
Vipersotfx’s recent campaign has been via ebooks as a front. Whilst the ebooks load, in the background an AutoIt script invokes functions from the .net CLR library to execute a base64-encoded AES-encrypted PowerShell payload. Before executing the scripts, it deploys AMSI-bypass procedures. Finally, it siphons off cryptocurrency and system info as a base64-encoded string dispatched to its C2, and proceeds to download additional payloads.
In this presentation, we will conduct an in-depth analysis of the TTPs employed by VipersoftX to deceive users, bypass security products, and steal cryptocurrency and user credentials. We will also explain in detail the evolution in its C2 communication infrastructure to send data and to receive additional payloads.
Dhanush – K7 Computing
Dhanush completed his Bachelor’s degree in Computer Science from Thiruvalluvar University In 2022. He began his professional journey as a Threat Researcher at K7 Labs, his primary job responsibilities involve reversing and detecting various types of malware at multiple layers and as well as staying up-to-date with the latest trends. Dhanush is passionate about malware analysis and reverse engineering, and his research findings are published on the K7 Labs technical blog page. During his leisure time, he enjoys playing chess and travelling with his friends.
Arun Kumar – K7 Computing
Arunkumar completed his Bachelor’s degree in Mechanical Engineering from Anna University in 2021. Although he initially pursued a career in the mechanical field, he later transitioned into the IT sector and began working as a Threat Researcher at K7 Labs, his main job responsibilities include analysing and identifying various types of malware at different levels, as well as keeping current with the latest trends in the field. Arun is passionate about malware analysis and reverse engineering, and his research findings are published on the K7 Labs technical blog page.