Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.
How ViperSoftX Spreads
ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.
What the Malware Does
According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.