FortiGuard Labs Threat Analysis
Affected Platforms: Windows
Impacted Users: Any Windows users
Threat Severity: High – allows the attacker to gain remote access.
ViperSoftX unravels 8 layers of code obfuscation before executing its actual payload. There are 3 different types of obfuscation techniques being employed:
Another effective method used to thwart the analysis of this malware is appending a non-ascii character at the end of the script, which results in encoding exceptions in most of the existing debuggers and basic deobfuscation methods.
ViperSoftX starts by placing a copy of itself under %APPDATA%. The author attempts to disguise the malicious script by using seemingly legitimate names such as vpn_port.dll, reg.converter.sys, install.sig, and install.db.
To establish persistency, the malware drops another script file under %APPDATA% and creates a shortcut in the startup directory to invoke it. The dropped script is a VBScript file, which in turn, executes ViperSoftX:
Set WshShell = WScript.CreateObject(“””WScript.Shell”””)
Obj = WshShell.Run(“””wscript.exe /E:jscript “””[PATH TO THE JS FILE]”””
Set WshShell = Nothing
Figure 1: Dropped VBScript
After establishing persistency, ViperSoftX queries the C&C server to fetch a command for execution. It does so in an infinite loop, and following each command execution it sleeps for 3 seconds.
The requests are sent in plain-text via HTTP PUT request to hxxp://seko[.]vipers[.]pw:8880/connect.
ViperSoftX uses HTTP headers to pass the machine information to the C&C server. The X-Header field (a non-standard header) is set to the hardcoded version and the User-Agent header is set to the machine information that includes:
The hardcoded version string format is as follows:
Vress = “viperSoftx_x.x.x.x”
There are no differences between files with different versions. Since the version is being sent to the server, we assume it might act as tag for different operations or campaigns being carried out.
The response received from the server is a string that is split into an array, which represents the command to be executed. Currently, the following commands implemented by ViperSoftX are:
|Cmd||Runs a command through cmd.exe.||1. Command line|
|DwnlExe||Runs a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload.||1. URL to download the file from 2. Path to save the file to|
|DwnlOnly||Downloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe.||1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop 4. Boolean flag that indicates whether to also execute the file|
|SelfRemove||Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory.|
|UpdateS||Removes all persistence for the current version and executes the new downloaded JS file.||1. URL to download the file from 2. Path to save the file to|
The output of the commands executed on the victim machines are not being returned to the server.
One of the goals of ViperSoftX is to steal cryptocurrency. Thus, after every command execution, ViperSoftX checks the content of the clipboard using the following code:
It then checks to see if the content matches either of two regex patterns that aim to match either a Bitcoin or an Ethereum address. In case of a match, and if the addresses are different from the addresses hardcoded in ViperSoftX, it sets the clipboard data to its own addresses.
Changing the clipboard data is done based on the OS version. On Windows 10 it uses PowerShell’s scp. Otherwise, it runs cmd as follows:
Cmd.exe /c echo|set /p=[address to set]|clip
After examining ViperSoftX’s Bitcoin and Ethereum addresses hardcoded in the malware, we can conclude the following:
The current total sum of all of the above mentioned wallets stands at 32,858.98 USD. While this is not a significant amount, this is only one campaign of this newly discovered threat which has only operated for a short while, and may only be the start of bigger, more successful campaigns. Also, as this threat has RAT capabilities, we don’t know if this was the only goal of the threat actor. For example, the threat actor might also be selling stolen data.
The following Ethereum activity graphs also indicate the campaign’s activity phases and reflect the steady growth of activity of ViperSoftX since late 2019, along with a stable increase of revenue since the first time it was detected in the wild:
While its functionality is rather simple, its download and execute capabilities make it a threat that should be closely monitored by defenders in case its operators decide to use it as a platform for additional operations by leveraging its RAT functionality. It can potentially be used for any other type of functionality, such as execution of ransomware.
It’s also possible that we are only seeing the first stages of ViperSoftX. If it is still in active development we might encounter more advanced and sophisticated versions of it in the future.
FortiEDR detects and blocks ViperSoftX out-of-the-box without any prior knowledge or special configuration.
FortiGuard IPS detects ViperSoftX as JS/ViperSoft.A!tr
FortiGuard Web filtering categorizes the network IOC as Malicious Websites
ViperSoftX can also be easily detected using a standard network monitoring mechanism. It’s plain-text communication, along with usage of non-standard headers, make it stand out from otherwise normal traffic.
In addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.
C&C Server Domain Name -
Bitcoin address -
Ethereum address -