ViperSoftX恶意软件伪装成电子书通过种子传播隐蔽攻击

admin 2024年7月11日11:38:30评论14 views字数 3994阅读13分18秒阅读模式

ViperSoftX恶意软件伪装成电子书通过种子传播隐蔽攻击

The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents.

已观察到名为ViperSoftX的复杂恶意软件正在作为电子书通过种子进行传播。

"A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said.

"当前版本的ViperSoftX的一个显著特点是,它使用公共语言运行时(CLR)动态加载和运行PowerShell命令,在AutoIt中创建一个PowerShell环境进行操作,"Trellix安全研究人员Mathanraj Thangaraju和Sijo Jacob说。

"By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity."

"通过利用CLR,ViperSoftX可以无缝集成PowerShell功能,从而能够执行恶意函数,同时避开可能会标记独立PowerShell活动的检测机制。"

Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of threat actors continuously innovating their tactics in an attempt to stay stealthy and circumvent defenses.

最初由Fortinet在2020年发现,ViperSoftX以其能够从受感染的Windows主机中窃取敏感信息而闻名。多年来,这种恶意软件已经成为威胁行为者持续创新其战术的一个相关示例,以企图保持隐秘并规避防御。

This is exemplified by the increased complexity and the adoption of advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.

正如Trend Micro在2023年4月所记录的那样,这种情况体现在增加的复杂性和采用先进的抗分析技术,如字节重映射和网页浏览器通信阻断。

As recently as May 2024, malicious campaigns have leveraged ViperSoftX as a delivery vehicle to distribute Quasar RAT and another information stealer named TesseractStealer.

截至2024年5月,恶意活动已利用ViperSoftX作为传播Quasar RAT和另一款名为TesseractStealer的信息窃取软件的递送工具。

Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.

传播这种恶意软件的攻击链已知利用破解软件和种子站点,但使用电子书诱饵是一种新观察到的方法。在所谓的电子书RAR存档文件中包含一个隐藏文件夹以及一个欺骗性的Windows快捷方式文件,声称是一个良性文档。

Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX.

执行快捷方式文件会启动一个多阶段感染序列,首先提取PowerShell代码以显示隐藏的文件夹,并在系统上设置持久性,以启动与.NET CLR框架交互的AutoIt脚本,以解密和运行一个次级PowerShell脚本,即ViperSoftX。

"AutoIt does not by default support the .NET Common Language Runtime (CLR)," the researchers said. "However, the language's user-defined functions (UDF) offer a gateway to the CLR library, granting malevolent actors access to PowerShell's formidable capabilities."

研究人员说:“AutoIt默认不支持.NET公共语言运行时(CLR)。” “然而,该语言的用户定义函数(UDF)提供了一个通往CLR库的通道,为恶意行为者提供了访问PowerShell强大功能的途径。”

ViperSoftX harvests system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and dynamically downloads and runs additional payloads and commands based on responses received from a remote server. It also comes with self-deletion mechanisms to challenge detection.

ViperSoftX收集系统信息,通过浏览器扩展程序扫描加密货币钱包,捕获剪贴板内容,并根据从远程服务器接收的响应动态下载并运行附加载荷和命令。它还配备了自删除机制以挑战检测。

"One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment," the researchers said. "This integration enables seamless execution of malicious functions while evading detection mechanisms that would typically flag standalone PowerShell activity."

研究人员说:“ViperSoftX的一个显著特点是其在AutoIt环境中编排PowerShell操作的能力。” “这种整合使其能够无缝执行恶意功能,同时避开通常会标记独立PowerShell活动的检测机制。”

"Furthermore, ViperSoftX's ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures."

"此外,ViperSoftX在执行PowerShell脚本之前修补反恶意软件扫描界面(AMSI)突显了它绕过传统安全措施的决心。"

参考资料

[1]https://thehackernews.com/2024/07/vipersoftx-malware-disguises-as-ebooks.html

关注我们

        欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。

原文始发于微信公众号(知机安全):ViperSoftX恶意软件伪装成电子书通过种子传播隐蔽攻击

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月11日11:38:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ViperSoftX恶意软件伪装成电子书通过种子传播隐蔽攻击https://cn-sec.com/archives/2941766.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息