Analyzing ViperSoftX: The Use of CLR and AutoIt for Stealthy Malware Operations

Introduction

The ViperSoftX info-stealing malware has evolved, now utilizing the common language runtime (CLR) to covertly execute PowerShell commands within AutoIt scripts. This sophisticated approach allows ViperSoftX to bypass traditional security measures and remain undetected, posing a significant threat to cybersecurity.

Leveraging CLR and AutoIt for Stealth Operations

CLR, a core component of Microsoft’s .NET Framework, functions as the execution engine for .NET applications. ViperSoftX exploits CLR to load code within AutoIt, a scripting language commonly used for automating Windows tasks and typically trusted by security solutions. By doing so, ViperSoftX masks its malicious activities, blending into legitimate system operations.

Enhanced Sophistication in Latest Variants

Researchers have identified that the latest versions of ViperSoftX include modified offensive scripts to enhance the malware's capabilities. These modifications reflect an increase in sophistication, making the malware more challenging to detect and mitigate.

Infection Chain: How ViperSoftX Spreads

ViperSoftX has been active since at least 2020 and is primarily distributed through torrent sites. It is often disguised as ebooks, delivering malicious RAR archives containing decoy files and scripts. Once a victim executes the .LNK file within the archive, the infection process begins. This file loads a PowerShell script that hides commands in blank spaces, automatically executing them in the Command Prompt.

The script then moves two files (zz1Cover2.jpg and zz1Cover3.jpg) to the %APPDATA%\Microsoft\Windows directory. One of these files is the AutoIt executable, renamed AutoIt3.exe. To ensure persistence, the script configures the Task Scheduler to run AutoIt3.exe every five minutes after user login.

Stealthy Operation and Evasion Techniques

By loading and executing PowerShell commands within the AutoIt environment using CLR, ViperSoftX evades detection. Although AutoIt does not natively support .NET CLR, users can define functions to invoke PowerShell commands indirectly. ViperSoftX employs heavy Base64 obfuscation and AES encryption to conceal commands within PowerShell scripts extracted from image decoy files.

Additionally, the malware includes a function to modify the memory of the Antimalware Scan Interface (AMSI) function (‘AmsiScanBuffer’) to bypass security checks on the scripts.

Network Communication and Data Theft

ViperSoftX uses deceptive hostnames like ‘security-microsoft.com’ for network communication. To avoid detection, system information is encoded in Base64 and transmitted via a POST request with a content length of “0,” making the data transfer appear benign.

The primary objective of ViperSoftX is to steal sensitive data from compromised systems, including:

Mitigation and Defense Strategies

ViperSoftX represents a sophisticated and agile threat, leveraging advanced evasion tactics to bypass traditional security mechanisms. A comprehensive defense strategy encompassing detection, prevention, and response capabilities is essential to counteract such modern threats.

Conclusion

ViperSoftX's ability to evade detection using CLR and AutoIt scripting highlights the evolving nature of malware threats. Understanding and addressing these sophisticated tactics is crucial for effective cybersecurity. Organizations must adopt robust security measures, including digital footprint analysis and online risk evaluation, to protect against such advanced threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.