The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents.
已观察到名为ViperSoftX的复杂恶意软件正在作为电子书通过种子进行传播。
"A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said.
"当前版本的ViperSoftX的一个显著特点是,它使用公共语言运行时(CLR)动态加载和运行PowerShell命令,在AutoIt中创建一个PowerShell环境进行操作,"Trellix安全研究人员Mathanraj Thangaraju和Sijo Jacob说。
"By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity."
"通过利用CLR,ViperSoftX可以无缝集成PowerShell功能,从而能够执行恶意函数,同时避开可能会标记独立PowerShell活动的检测机制。"
Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of threat actors continuously innovating their tactics in an attempt to stay stealthy and circumvent defenses.
最初由Fortinet在2020年发现,ViperSoftX以其能够从受感染的Windows主机中窃取敏感信息而闻名。多年来,这种恶意软件已经成为威胁行为者持续创新其战术的一个相关示例,以企图保持隐秘并规避防御。
This is exemplified by the increased complexity and the adoption of advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.
正如Trend Micro在2023年4月所记录的那样,这种情况体现在增加的复杂性和采用先进的抗分析技术,如字节重映射和网页浏览器通信阻断。
As recently as May 2024, malicious campaigns have leveraged ViperSoftX as a delivery vehicle to distribute Quasar RAT and another information stealer named TesseractStealer.
截至2024年5月,恶意活动已利用ViperSoftX作为传播Quasar RAT和另一款名为TesseractStealer的信息窃取软件的递送工具。
Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.
传播这种恶意软件的攻击链已知利用破解软件和种子站点,但使用电子书诱饵是一种新观察到的方法。在所谓的电子书RAR存档文件中包含一个隐藏文件夹以及一个欺骗性的Windows快捷方式文件,声称是一个良性文档。
Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX.
执行快捷方式文件会启动一个多阶段感染序列,首先提取PowerShell代码以显示隐藏的文件夹,并在系统上设置持久性,以启动与.NET CLR框架交互的AutoIt脚本,以解密和运行一个次级PowerShell脚本,即ViperSoftX。
"AutoIt does not by default support the .NET Common Language Runtime (CLR)," the researchers said. "However, the language's user-defined functions (UDF) offer a gateway to the CLR library, granting malevolent actors access to PowerShell's formidable capabilities."
研究人员说:“AutoIt默认不支持.NET公共语言运行时(CLR)。” “然而,该语言的用户定义函数(UDF)提供了一个通往CLR库的通道,为恶意行为者提供了访问PowerShell强大功能的途径。”
ViperSoftX harvests system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and dynamically downloads and runs additional payloads and commands based on responses received from a remote server. It also comes with self-deletion mechanisms to challenge detection.
ViperSoftX收集系统信息,通过浏览器扩展程序扫描加密货币钱包,捕获剪贴板内容,并根据从远程服务器接收的响应动态下载并运行附加载荷和命令。它还配备了自删除机制以挑战检测。
"One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment," the researchers said. "This integration enables seamless execution of malicious functions while evading detection mechanisms that would typically flag standalone PowerShell activity."
研究人员说:“ViperSoftX的一个显著特点是其在AutoIt环境中编排PowerShell操作的能力。” “这种整合使其能够无缝执行恶意功能,同时避开通常会标记独立PowerShell活动的检测机制。”
"Furthermore, ViperSoftX's ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures."
"此外,ViperSoftX在执行PowerShell脚本之前修补反恶意软件扫描界面(AMSI)突显了它绕过传统安全措施的决心。"
参考资料
[1]https://thehackernews.com/2024/07/vipersoftx-malware-disguises-as-ebooks.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):ViperSoftX恶意软件伪装成电子书通过种子传播隐蔽攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论