ViperSoftX Stealing Cryptocurrencies
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the ViperSoftX attacker is continuously distributing malware to users in Korea. ViperSoftX is a type of malware that resides in infected systems and is responsible for executing threat actors’ commands and stealing cryptocurrencies. ASEC previously published an analysis of a ViperSoftX attack case in May 2024, which covered a distribution case of TesseractStealer, a malware that utilizes Quasar RAT, a remote access Trojan, and Tesseract, an open-source OCR engine that uses deep learning. [1]
The ViperSoftX threat actor installs various PowerShell scripts in infected systems and uses them to download additional payloads. This allows them to receive commands from the threat actor and perform various malicious behaviors. They mainly distribute malware responsible for installing Quasar RAT for remote access purposes or stealing cryptocurrency wallet addresses. Recently, they have been installing downloaders and remote access malware such as PureCrypter and PureHVNC in addition to Quasar RAT.
Figure 1. Flowchart
1. ViperSoftX Distribution
First uncovered by Fortinet in 2020, ViperSoftX was often distributed under the guise of cracked software or key generators for legitimate software. This initial infection vector was subsequently observed by Avast in 2022 and Trend Micro in 2023. In addition, Trellix shared a case in 2024 where ViperSoftX was disguised as an eBook and distributed via torrent sites.
The method of disguising malware as illegal duplication programs such as cracks and keygens for legitimate software is being used by various threat actors. In actual attack cases, this method is one of the main initial access tactics used alongside attacks that exploit poorly managed services or malicious email attachments. While the threat actor behind ViperSoftX is not specifically targeting South Korea, the method they are using (disguising malware as an illegal duplication program) is affecting a large number of victims worldwide. As a result, multiple infection cases have been confirmed in South Korea as well.
2. Persistence
ViperSoftX leverages task scheduler to periodically execute malicious PowerShell scripts. At least two task registration methods have been identified so far. The first method involves decrypting and executing a file inserted by the malicious script. The task registered in the task scheduler includes a VBS command, which is responsible for executing the PowerShell command in reality. It reads 0x1A6 bytes from the offset 0x1F843C of a file located in a specific path, decrypts it into Base64, and then executes it. Although this file is disguised as a log file, examining the actual offset 0x1F843C reveals a Base64-encrypted PowerShell script. The decrypted and executed PowerShell command is a downloader.
Figure 2. Powershell script encrypted with Base64
Another type is a task that executes a PowerShell script located in the %SystemDirectory% path. This PowerShell script is obfuscated and reads the value registered in the registry, such as “HKLM\SOFTWARE\HPgs6ZtP670 / xr417LXh”, and executing it as a PowerShell command. The PowerShell command stored in the registry also acts as a downloader.
3. PowerShell Downloader
The malware strains used in these attacks are mostly PowerShell scripts, often responsible for downloading other malware strains. There are simple types that download malware from a specific URL, as well as scripts that calculate the GUID of the infected system to communicate with the C&C server and execute the downloaded PowerShell commands.
Figure 3. PowerShell downloader
In addition, downloaders that exploit DNS use TXT records. For example, they combine items like “wmail-blog[.]com” to create a domain address and query the TXT record for that address.
- $a : “wmail”, “fairu”, “bideo”, “privatproxy”, “ahoravideo”
- $b : “endpoint”, “blog”, “chat”, “cdn”, “schnellvpn”
- $c : “com”, “xyz”
Figure 4. Response of the TXT record
The C&C server sends encrypted data as a response. The downloader decodes the payload downloaded from the C&C server using Base64, then decrypts it using the DFC() function, and finally executes the PowerShell command. At the time of analysis, the decrypted PowerShell script was a downloader that installs the ViperSoftX PowerShell script.
4. ViperSoftX
ViperSoftX is a PowerShell script that communicates with the C&C server to transmit collected information or receive commands and transmit results. The data transmitted to the C&C server is sent through the “X-User-Agent,” “X-get,” or “X-notify” field in the HTTP header. The “X-User-Agent” field includes the information collected from the system. The version at the time of analysis is “O_143.” The “X-get” field is used for the initial connection, and the “X-notify” field contains the transmitted data.
| Order | Data |
|---|---|
| 1 | Version (“O_143”) |
| 2 | guid (Create a new one) |
| 3 | Computer Name |
| 4 | User Name |
| 5 | Windows Version |
| 6 | Architecture |
| 7 | AntiVirus Information |
Table 1. X-User-Agent field
4.1. Clipboard Protection
The first feature is a clipboard protection feature that is likely to protect it from other ClipBanker-type malware. First, it creates a “ClipboardProtect.ps1” file in the %TEMP% directory and then executes it. The created script inspects the processes that are currently running. If a process is running and not signed with a legitimate certificate and is not in paths like “Windows”, “System32”, or “Program Files”, it adds the process to the list.
It then monitors the clipboard and checks the process of the currently active window when a clipboard change occurs. If the process is not located in the system path and is not signed by a certificate, which means it is a suspicious process, it forcibly terminates the process.
4.2. Windows Monitoring (Cryptocurrency Wallet Program)
It then checks the current window title to see if a cryptocurrency wallet-related program is running, and if it matches, it sends the data to the C&C server.
4.3. Clipboard Monitoring (BIP39 recovery phrase and cryptocurrency wallet address)
ViperSoftX monitors the clipboard to check whether the BIP 39 recovery phrase used to restore cryptocurrency wallets has been copied. It downloads the recovery phrase from GitHub and then monitors the clipboard periodically, sending the data to the C&C server if the recovery phrase is included. It also steals the data if the clipboard content matches the regular expression for cryptocurrency wallet addresses.
- Regular Expression Target Wallet Address: BTC, BCH, BNB, ETH, XMR, XRP, DOGE, DASH, ADA, XTZ, SOL, ATOM, KAVA, ZEC, ZIL, USDT
4.4. Send System Information (Web Browser Extension, Installed Programs)
It queries the lists of extensions of web browsers and installed programs and sends them to the C&C server.
- Target Web Browsers: Chrome, Edge, Brave, Opera, Opera GX, Firefox, Vivaldi, Chrome Beta, Chrome Canary, Firefox Developer
4.5. Executing the Command
In addition to the information theft feature, ViperSoftX also has a command execution feature. It not only executes PowerShell commands, but also downloads and executes executable files.
Figure 5. Commands supported by ViperSoftX
| Command | Feature |
|---|---|
| Cmd | Run PowerShell command |
| DwnlExe | Download and Run Executable |
| SelfRemove | End |
| RestartClient | End |
Table 2. Commands supported by ViperSoftX
5. Additional Payload
5.1. Quasar RAT
Quasar RAT is an open-source RAT malware developed in .NET. It provides remote control features as well as keylogging and account credential collection features, allowing threat actors to steal information from user environments. ViperSoftX has been using Quasar RAT frequently in the past, and as of now, it is one of the most commonly used malware along with PureCrypter and PureHVNC.
5.2. PureCrypter, PureHVNC
Recently, not only Quasar RAT but also the commercial packer developed in .NET, PureCrypter, and the remote control malware, PureHVNC, are being distributed. PureCrypter is an executable loader that downloads and executes additional payloads, and it supports various features such as injection and analysis evasion techniques. PureHVNC is being sold by the same developer and supports various features to control the infected system.
Figure 6. PureHVNC
5.3. ClipBanker
The ClipBanker malware monitors the clipboard periodically and checks based on a regular expression whether a cryptocurrency wallet address is being copied. If it is determined that a cryptocurrency wallet address has been copied, the malware replaces it with the threat actor’s wallet address. This is because cryptocurrency wallet addresses are generally long and random strings that are difficult to memorize, and they follow a specific format. This is why users tend to copy and paste them.
6. Conclusion
The threat actor behind ViperSoftX has been targeting cryptocurrency users for several years and is actively distributing malware. The threat actor uses various types of malware to steal cryptocurrency-related information or disrupt transactions. If a system is infected with ViperSoftX, the threat actor can take control of the system and steal not only the information mentioned in this post, but also additional user information.
Users must be cautious of installing software downloaded from suspicious websites or file-sharing sites instead of the official website. They should also apply the latest security patches for their operating system and installed software, and keep V3 products up to date to block known attacks.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
