ViperSoftX is an infostealer that has already been after crypto wallets, but its now attacking more of them, in addition to multiple web browsers – not just Google Chrome – and password managers as well.
It also has stronger code encryption now and is better at avoiding detection from antivirus tools.
ViperSoftX can install the malicious Chrome extension VenomSoftX, but according to security researchers Trend Micro, it can now also infect Microsoft Edge, Mozilla Firefox, Opera and Brave.
It seems that now, however, ViperSoftX has extended its global reach, with Trend Micro detecting additional prominent activity in Australia, Japan, Taiwan, Malaysia and France. Enterprises and consumers alike are being targeted too. Analysts found that the malware is often hidden in software cracks and activators.
In addition to attacking many more crypto wallets now, the latest version of ViperSoftX has been found by Trend Micros to be scouring for files associated with 1Password and KeePass, and attempting to steal data related to their browser extensions.
An exploit tracked as CVE-2023-24055 does allow for stored passwords to be exported in a plain text file, but Trend Micro found now evidence that this is being used by ViperSoftX.
However, it told BleepingComputer that it could steal users’ vaults in the later stages of the attack, once the malware has taken hold and extracted data from the victim’s system and sent it to the threat actor.
More worringly, the new ViperSoftX uses DLL sideloading in order to be mistakenly recognized as a trusted process, thus remaining undetected by security software. It also checks to see if monitoring tools like VMWare or Process Monitor and antivirus software such as Windows Defender and ESET are present on the system before it it begins its processes.
It also uses byte mapping, a technique to encrypt its code in a way that makes it much harder to decrypt without having the correct map to do so.