Researchers have warned reading fans of a new malware strain disguising itself as eBooks, and being distributed via torrents.
Usually, threat actors sharing malware via torrents would disguise the files as popular movies, or cracks for expensive, commercial software, since these are popular and allow the attackers to distribute the malware to a wider cohort. eBooks are not usually impersonated in cybercrime due to the files being somewhat niche.
However, cybersecurity researchers from Trellix say they have observed malware known as ViperSoftX being shared this way. Users would think they are downloading an eBook, but the archive would also carry a hidden folder and a Windows shortcut file. Running the shortcut triggers the infection chain, which results in the deployment of the malware.
Information stealer and remote access trojan
ViperSoftX is a type of malware that functions as an information stealer and a remote access trojan (RAT). It is designed to steal sensitive information, such as login credentials, financial information, and other personal data from infected computers.
It was first spotted in the wild around late 2019, and has since evolved with various updates and modifications, making it a persistent threat to computer systems. Newer versions steal cryptocurrency wallet data from browser extensions, grabs clipboard content, and more.
“A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations,” the researchers said, explaining how the malware remains hidden. “By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity.”
While a potent infostealer in its own right, ViperSoftX also served as a loader, helping threat actors distribute Quasar RAT and an infostealer called TesseractStealer, TheHackerNews reports.