HQ/EMEAFind out how we can help your business
The new version of the ViperSoftX infostealer malware uses the common language runtime (CLR) to load and execute PowerShell commands within AutoIt scripts, bypassing security solutions.
CLR is essential to Microsoft’s dotnet framework since it acts as the execution engine and runtime environment for [.]NET applications. Based on reports, ViperSoftX leverages CLR to load code into AutoIt, a scripting language for automating Windows processes commonly trusted by security solutions.
Moreover, researchers discovered that the malware developer changed hostile scripts to the latest virus versions to increase its sophistication.
Hackers could allegedly acquire the ViperSoftX malware on torrent sites.
According to investigations, the ViperSoftX developers now distribute this infostealer on torrent sites as ebooks that contain malicious RAR archives with a decoy PDF or ebook file, a PowerShell, a shortcut (.LNK) file, and disguised AutoIT scripts.
Researchers claim that the infection process begins when victims access and run the .LNK file. During the procedure, the PowerShell script is loaded, which hides commands executed automatically in the Command Prompt behind blank spaces. Subsequently, the PS script inserts two malicious jpg files into the %APPDATA%\Microsoft\Windows directory. One of these is the AutoIt program, renamed AutoIt3.exe.
The threat actors then use the same script to instruct the Task Scheduler to execute AutoIt3.exe every five minutes after the user signs in to establish persistence on the compromised device. Furthermore, this infostealer attempts to avoid detection by utilising CLR to load and run PowerShell commands within the AutoIt environment.
This tactic became possible despite AutoIT’s lack of native support for the .NET CLR since users can write functions that enable them to invoke PowerShell commands indirectly. Also, ViperSoftX employs robust Base64 obfuscation techniques and AES encryption to conceal the commands in the PowerShell scripts developed from the picture decoy files.
The malware also includes a feature that modifies the memory of the Antimalware Scan Interface function, allowing the scripts to bypass security tests. ViperSoftX communicates over the network using fake host names such as ‘security-microsoft.com’.
Lastly, to prevent detection, system information is encoded in Base64 format and supplied via a POST request with a content length of “0.” This strategy allowed the threat actor to avoid raising suspicion among the users and security solutions.
