Recent variants of the ViperSoftX info-stealing malware employ advanced techniques to evade detection, utilising the Common Language Runtime (CLR) to load and execute PowerShell commands within AutoIt scripts. This method leverages a key component of Microsoft's .NET Framework, allowing ViperSoftX to mask its malicious activities under the guise of legitimate operations.
Understanding CLR and AutoIt
The CLR is the execution engine for .NET applications, providing a runtime environment that supports managed code. By integrating CLR, ViperSoftX can execute PowerShell commands within AutoIt, a scripting language commonly used for automating Windows tasks and generally trusted by security solutions.
Advanced Infection Chain
Active since at least 2020, ViperSoftX is primarily distributed through torrent sites, disguised as eBooks that deliver malicious RAR archives. These archives contain a decoy PDF or eBook file, a shortcut (.LNK) file, and scripts masked as JPG image files.
Researchers at Trellix have mapped the infection process: the attack begins when the victim executes the .LNK file, which loads a PowerShell script concealed within blank spaces. This script moves two files, zz1Cover2.jpg and zz1Cover3.jpg, to the %APPDATA%\Microsoft\Windows directory. One file, renamed as AutoIt3.exe, is the executable for AutoIt. To maintain persistence, the script schedules AutoIt3.exe to run every five minutes via Task Scheduler.
Evasion Techniques
ViperSoftX’s use of CLR to load PowerShell commands within AutoIt scripts allows it to mimic legitimate system activities, thereby evading detection. Although AutoIt does not natively support .NET CLR, the malware defines functions to invoke PowerShell commands indirectly. The malware employs heavy Base64 obfuscation and AES encryption to conceal the PowerShell commands embedded within the image decoy files.
Additionally, ViperSoftX modifies the memory of the Antimalware Scan Interface (AMSI) function (‘AmsiScanBuffer’) to bypass security checks. For network communication, it uses deceptive hostnames such as ‘security-microsoft.com’ and transmits system information encoded in Base64 via POST requests with a content length of “0,” avoiding detection due to the absence of body content.
Data Theft Objectives
The primary goal of ViperSoftX is to steal sensitive data from compromised systems, including:
• System and hardware details
• Cryptocurrency wallet data from browser extensions like MetaMask and Ronin Wallet
• Clipboard contents
To Sum Up
Trellix researchers emphasise that ViperSoftX has significantly refined its evasion tactics, making it a more formidable threat. By embedding CLR to execute PowerShell within AutoIt, the malware operates stealthily, bypassing security measures that typically detect standalone PowerShell activity. To counter this sophisticated and agile threat, a comprehensive defence strategy encompassing detection, prevention, and response capabilities is essential.
