ViperSoftX: Info-stealing malware targeting cryptocurrency wallets and password managers

ViperSoftX, a malware that steals cryptocurrencies and personal data, has been circulating since 2020 through malicious email attachments, shady software downloads, and exploit kits. Following infection, the malware works covertly in the background to try to gather sensitive data without the user’s knowledge or consent. The malware is also known for installing a malicious extension named VenomSoftX on the Chrome browser.

ViperSoftX, which performs several tests before downloading an initial stage PowerShell loader, is distributed using cracked software, key generators, and non-malicious software. The decrypted second-stage PowerShell script is then run to install malicious browser extensions that potentially steal passwords and information from cryptocurrency wallets from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, and Opera browsers.

A new version of the ViperSoftX information-stealing malware has been discovered with a broader range of targets, including the KeePass and 1Password password managers. To make matters worse, the most recent version of ViperSoftX uses different evasion strategies to avoid detection by security software and greater code encryption. These developments aid the malware’s capacity to stay undetected and increase the efficiency of its data-stealing operations. Based on the analysts’ observations, the malware typically arrives as software cracks, activators, or key generators, hiding within benign-appearing software.

Upon arrival, the malware also checks for specific virtualization and monitoring tools like VMWare or Process Monitor and antivirus products like Windows Defender and ESET before it proceeds with the infection routine. ViperSoftX uses “byte mapping,” which reorders the shellcode bytes, to impede decryption and analysis. Since each sideloader DLL in the virus has its own executable and byte map, erroneous DLL usage will result in shellcode that is incorrectly rearranged, making decryption without the correct DLL far more difficult. Additionally, ViperSoftX includes a new communication blocker in web browsers that makes it more challenging to analyze the command and control (C2) architecture and find fraudulent traffic.

ViperSoftX is an elusive information-stealing malware that has affected victims in the consumer and business sectors in Australia, Japan, the U.S., India, Taiwan, Malaysia, France, Italy, and Pakistan.