Google Chrome is a popular open-source browser used to access the internet and run multiple web applications; It is one of the most trustable browsing platforms all around the world. Even so, there are multiple attacks targeting google chrome, as it is the best place to steal credentials or other sensitive information.
In this article, we will discuss one of the wildly exploited attacks where the Google chrome extension was seen used as a cryptocurrency stealer, ViperSoftX Malware. Let’s see what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware.
What is a google chrome extension? Are they safe?
A vast majority of extensions are considered safe however the concern is when it comes to permission, as it can access sensitive and critical information. They can be a potential attack vector if not managed correctly. Let’s look into one such case.
What is VipersoftX Malware?
ViperSoftX is mostly distributed via cracked software like Microsoft Office, Adobe illustrator, etc. These are also spread via torrent downloads. Only windows users have been impacted so far.
Recent Campaign Activity – Victims of ViperSoftX Malware Campaign
As per Avast, they have protected more than 93,000 users from this malware. This malware is distributed all around the world, mostly via torrent files or software-sharing sites. The most impacted countries are India (7,000+), the USA (6,000+), and Italy (5,000+).
As of 8th November 2022, a total of $130,421.56 have been stolen by ViperSoftX and VenomSoftX from stolen cryptocurrencies. The below table shows an estimate of attacker earnings from multiple cryptocurrency wallets.
|Cryptocurrency||Earnings in cryptocurrency||~Earning in USD|
|Bitcoin Cach||9.11997194 BCH||$1,021.39|
|Cosmos (ATOM)||65.153 ATOM||$846.44|
How Does ViperSoftX Malware Campaign Work?- Attack Flow
ViperSoftX pretends to be a cracked software as the victim downloads it. This malware is commonly named patch.exe or activator.exe. Activator.exe is the loader that decrypts data from itself using AES, the decrypted loader reveals five different files:
- ViperSoftX PowerShell payload hidden as a log file
- XML file (task scheduler)
- A schedule task is created, and persistence is established using the VBS file
- Cracked application binary
- manifested file
The log file will usually be more than 5 MB and contains a single malicious line of code. This file will be stored under different names such as “driver” or “log” or a “text” file.
ViperSoftX malware is very skilled in hiding itself. Before executing the payload, it is protected by 8 layers of code obfuscation. 3 major types of obfuscation techniques used are:
- AES decryption: this will be the first layer
- Converting char arrays: usually, the 3rd layer and has a simple functionality of calculating a hard coded array of characters.
- UTF8 Decoding: this contains multiple code snippets, this type of decoding is the most recurring DE obfuscation layer
ViperSoftX achieves persistence by creating a copy of itself in %APPDATA%. The attacker also tries to make it look trustable by using legitimate names such as vpn_port.dll, and install.sig etc. The malware also drops another script file and creates a shortcut in the startup directory to invoke it. This is a VBS script file that later executes ViperSoftX.
Features of ViperSoftX Malware
The primary features of ViperSoftX include the following,
- Stealing cryptocurrency
- Fingerprinting the infected machine
- Computer name and Username
- OS information and its architecture
- Any antivirus or other security software Installed and whether the solution is active or not.
- Clipboard swapping
- Command execution
- Downloading and executing payloads
As we already mentioned, one of the critical payloads used by ViperSoftX is the chromium-based browser extension VenomSoftX. This extension has multiple unique features which provide complete access to every website the victim visit. It also could execute man-in-the-browser attacks to steal cryptocurrency by tampering with crypto addresses (API request tampering) on popular cryptocurrency exchanges. The stolen information and fingerprint are concatenated into one string, further encoded by base 64, and is shared with the hardcoded C&C server.
ViperSoftX scans the copied clipboard text content using predefined regular expressions, and if the expression matches any configured wallet address, the malware replaces the content with the attacker address notification to command and control. This is done in the X-notify HTTP header in the below format ‘Cryptocurrency type – victim’s address – attacker’s address.’
The attacker hides the malware as a chrome browser extension masqueraded as “Google Sheets 2.1” which is supposed to be a google productivity app.
ViperSoftX as a RAT (Remote Access Trojan)
ViperSoftX also provides RAT functionalities such as executing arbitrary commands downloading arbitrary payloads and executing itself, removing itself entirely from the system, etc. The malware can create an infinite loop and execute commands after every 3 seconds of sleep.
ViperSoftX passes information to the CNC server via the HTTP header, Where it provides OS information, computer name, username, etc. The commands implemented by ViperSoftX are:
|Cmd||Runs a command through cmd.exe.||1. Command line|
|DwnlExe||Runs a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload.||1. URL to download the file from 2. Path to save the file to|
|DwnlOnly||Downloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe.||1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop 4. Boolean flag that indicates whether to also execute the file|
|SelfRemove||Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory.|
|UpdateS||Removes all persistence for the current version and executes the new downloaded JS file.||1. URL to download the file from 2. Path to save the file to|
How to protect from ViperSoftX Malware?
Any communication with the IOCs mentioned should be monitored closely to avoid damage to the organization.
Indicator of Compromise (IOC) of ViperSoftX Malware
|Hidden log script first variant||0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2|
|Hidden log script second variant||0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f|
|ViperSoftX’s browser installer||5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add|
- T1027 (Obfuscated Files or Information)
- T1059.001 (PowerShell)
- T1115 (Clipboard Data)
- T1140 (Deobfuscate/Decode Files or Information)
- T1176 (Browser Extensions)
- T1189 (Drive-by Compromise)
- T1204.002 (Malicious File)
- T1496 (Resource Hijacking)
List of wallet addresses