Skip to main content

Google Chrome is a popular open-source browser used to access the internet and run multiple web applications; It is one of the most trustable browsing platforms all around the world. Even so, there are multiple attacks targeting google chrome, as it is the best place to steal credentials or other sensitive information.

In this article, we will discuss one of the wildly exploited attacks where the Google chrome extension was seen used as a cryptocurrency stealer, ViperSoftX Malware. Let’s see what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware.

What is a google chrome extension? Are they safe?

A google chrome extension is nothing but a software program that enhances user experience by providing customized features. Chrome extensions are built on web technologies such as CSS, HTML, and JavaScript.

A vast majority of extensions are considered safe however the concern is when it comes to permission, as it can access sensitive and critical information. They can be a potential attack vector if not managed correctly. Let’s look into one such case.

What is VipersoftX Malware?

ViperSoftX is a Windows malware that deploys a Google Chrome extension named ‘VenomSoftX’. This is an information stealer malware with very interesting obfuscation capabilities. ViperSoftX is a JavaScript-based RAT (remote access trojan), it was initially observed in the early 2020s, but these malwares have grown extensive and is being actively exploited recently.

ViperSoftX is mostly distributed via cracked software like Microsoft Office, Adobe illustrator, etc. These are also spread via torrent downloads. Only windows users have been impacted so far.

Recent Campaign Activity – Victims of ViperSoftX Malware Campaign 

As per Avast, they have protected more than 93,000 users from this malware. This malware is distributed all around the world, mostly via torrent files or software-sharing sites. The most impacted countries are India (7,000+), the USA (6,000+), and Italy (5,000+).

Impacted countries since the beginning of 2022 Source: Avast

As of 8th November 2022, a total of $130,421.56 have been stolen by ViperSoftX and VenomSoftX from stolen cryptocurrencies. The below table shows an estimate of attacker earnings from multiple cryptocurrency wallets.

CryptocurrencyEarnings   in cryptocurrency~Earning   in USD
Bitcoin5.947 BTC$116,812.81
Ethereum5.312 ETH$7,826.13
Dogecoin34,355.528   DOGE$3,474.47
Bitcoin   Cach9.11997194   BCH$1,021.39
Cosmos   (ATOM)65.153   ATOM$846.44
Tezos191.445553   XTZ$241.32
Dash4.72446445   DASH$199

Source: Avast

How Does ViperSoftX Malware Campaign Work?- Attack Flow

This section is more focused on how ViperSoftX Malware is misused as a Cryptocurrency Stealing Google Chrome extension.

ViperSoftX pretends to be a cracked software as the victim downloads it. This malware is commonly named patch.exe or activator.exe. Activator.exe is the loader that decrypts data from itself using AES, the decrypted loader reveals five different files:

  • ViperSoftX PowerShell payload hidden as a log file
  • XML file (task scheduler)
  • A schedule task is created, and persistence is established using the VBS file
  • Cracked application binary
  • manifested file

See Also How To Fix The Three Buffer Overflow Vulnerabilities In Lenovo BIOS

The log file will usually be more than 5 MB and contains a single malicious line of code. This file will be stored under different names such as “driver” or “log” or a “text” file.

ViperSoftX malware is very skilled in hiding itself. Before executing the payload, it is protected by 8 layers of code obfuscation. 3 major types of obfuscation techniques used are:

  1. AES decryption: this will be the first layer
  2. Converting char arrays: usually, the 3rd layer and has a simple functionality of calculating a hard coded array of characters.
  3. UTF8 Decoding: this contains multiple code snippets, this type of decoding is the most recurring DE obfuscation layer

ViperSoftX achieves persistence by creating a copy of itself in %APPDATA%. The attacker also tries to make it look trustable by using legitimate names such as vpn_port.dll, and install.sig etc. The malware also drops another script file and creates a shortcut in the startup directory to invoke it. This is a VBS script file that later executes ViperSoftX.

Features of ViperSoftX Malware

The primary features of ViperSoftX include the following,

  • Stealing cryptocurrency
  • Fingerprinting the infected machine
    • Computer name and Username
    • OS information and its architecture
    • Any antivirus or other security software Installed and whether the solution is active or not.
  • Clipboard swapping
  • Command execution
  • Downloading and executing payloads

As we already mentioned, one of the critical payloads used by ViperSoftX is the chromium-based browser extension VenomSoftX. This extension has multiple unique features which provide complete access to every website the victim visit. It also could execute man-in-the-browser attacks to steal cryptocurrency by tampering with crypto addresses (API request tampering) on popular cryptocurrency exchanges. The stolen information and fingerprint are concatenated into one string, further encoded by base 64, and is shared with the hardcoded C&C server.

ViperSoftX scans the copied clipboard text content using predefined regular expressions, and if the expression matches any configured wallet address, the malware replaces the content with the attacker address notification to command and control. This is done in the X-notify HTTP header in the below format ‘Cryptocurrency type – victim’s address – attacker’s address.’

The attacker hides the malware as a chrome browser extension masqueraded as “Google Sheets 2.1” which is supposed to be a google productivity app.

Malicious extension (Credits: Avast)

ViperSoftX as a RAT (Remote Access Trojan)

ViperSoftX also provides RAT functionalities such as executing arbitrary commands downloading arbitrary payloads and executing itself, removing itself entirely from the system, etc. The malware can create an infinite loop and execute commands after every 3 seconds of sleep.

ViperSoftX passes information to the CNC server via the HTTP header, Where it provides OS information, computer name, username, etc. The commands implemented by ViperSoftX are:

NameDescriptionParameters
ExExecutes JS code using eval().1. JavaScript code
CmdRuns a command through cmd.exe.1. Command line
DwnlExeRuns a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload.1. URL to download the file from 2. Path to save the file to
DwnlOnlyDownloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe.1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop  4. Boolean flag that indicates whether to also execute the file
SelfRemove Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory.
UpdateSRemoves all persistence for the current version and executes the new downloaded JS file.1. URL to download the file from 2. Path to save the file to

Source: Fortinet

As observed by Fortinet, the malware author continue to use multiple JavaScript-based payloads. This shows that the developer is more comfortable using JavaScript as his preferable programming language.

See Also Reimagining Reality with Apple Vision Pro: A Revolutionary Leap in Spatial Computing

How to protect from ViperSoftX Malware?

JavaScript-based malware are on trend now, and the obfuscation capability of this malware is amazing. While the functionality is simple. If closely monitored, VipersoftX Malware can be detected easily, as it uses plaintext communication using a header, as it will stand out from regular traffic.

Any communication with the IOCs mentioned should be monitored closely to avoid damage to the organization.

Indicator of Compromise (IOC) of ViperSoftX Malware

SHA256 –

  • 65cb35d1b09097aa64b89062a060b3bb680bc4c962ff116f32edf92735f401eb
  • 4bb342c21ff563454d2fdc25eb3e63731d06d20c1fca2522061ad1ef38a53c89
  • 391e4b6ffb90303547d20baaa5695f2c0191f5461bb20cb885e170dd019e017c
  • 9e63d2ac3dc280a25c27a126752fdde1c8c5a0c4b4990f479a44dd8441b22ab3

ViperSoftX 

File nameSHA256
Activator.exee1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a
Hidden log script first variant0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2
Hidden log script second variant0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f
ViperSoftX PowerShell23b9075dac7dbf712732bb81ecd2c21259f384eb79ae8fdebe29b7c5a12d0519
ViperSoftX’s browser installer5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add

VenomSoftX

File nameSHA256
content.bootstrap.js3fe448df20c8474730415f07d05bef3011486ec1e070c67683c5034ec76a2fcb
manifest.json0de9a23f88b9b7bda3da989dce7ad014112d88100dceaabca072d6672522be26
rules.json1d6845c7b92d6eb70464a35b6075365872c0ae40890133f4d7dd17ea066f8481
webpack_block.js7107ab14a1760c6dccd25bf5e22221134a23401595d10c707f023f8ca5f1b854
webpack_bnb.jsddee23e2bfd6b9d57569076029371e6e686b801131b6b503e7444359d9d8d813
webpack_cb.js947215a1c401522d654e1d1d241e4c8ee44217dacd093b814e7f38d4c9db0289
webpack_common.js7b75c1150ef10294c5b9005dbcd2ee6795423ec20c512eb16c8379b6360b6c98
webpack_content.jsd7dfc84af13f49e2a242f60804b70f82efff7680cddf07f412667f998143fe9c
webpack_gt.js4da1352e3415faa393e4d088b5d54d501c8d2a9be9af1362ca5cc0a799204b37
webpack_kuc.js705deecbbb6fd4855df3de254057c90150255c947b0fb985ea1e0f923f75a95f

C&C communication

  • api.private-chatting[.]com
  • apps-analyser[.]com
  • wmail-blog[.]com
  • wmail-service[.]com
  • seko[.]vipers[.]pw

MITRE Techniques

  • T1027 (Obfuscated Files or Information)
  • T1059.001 (PowerShell)
  • T1059.007 (JavaScript)
  • T1115 (Clipboard Data)
  • T1140 (Deobfuscate/Decode Files or Information)
  • T1176 (Browser Extensions)
  • T1189 (Drive-by Compromise)
  • T1204.002 (Malicious File)
  • T1496 (Resource Hijacking)

List of wallet addresses

CryptocurrencyAddress
ADAaddr1q9c27w7u4uh55sfp64ahtrnj44jkthpe7vyqgcpt73z9lrq7fw3juld8k2ksz2p82tv45j8yc5wzqmr4ladxyt0vjxrsf33mjk
ATOMcosmos1mcah8lel6rxhlqsyrzpm8237cqcuzgyw70nm6f
BNBbnb1u64a2n3jhw4yh73s84rc58v8wxrwp7r8jwakpr
BNBbnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq
BTC1L8EBHDeiHeumtcpcroaxBceXnWFiYU5dh
BTC1PRMMQgM65KDtMTryu9ccpeAgUmKqDrE9M
BTC1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX
BTC32Wx3dsHCCxyJZLwseFYkgeFqVk16tCCcF
BTC3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP
BTCbc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp
BTCbc1qxgz2g8kn2kg0wqqrmctyxu5n925pnwphzlehaw
BTCqq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a
BTCqqh3g98z60rdl05044xxt7gkgncezmdfy5tja99z53
DASHXdxTmTFuHrcHnQQhfweAnHtExFB5BXmU1z
DASHXtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng
DOT122zNSYNN2TSR2H5wBCX16Yyvq7qLFWo1d6Lvw2t9CNxMxt1
DOGEDDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq
DOGEDUUNTm23sVwLyiw27WW9ZPT9XfiWhB1Cvf
ETH0x9d787053f9839966A664b0e14e9C26a3684F6E44
ETH0x12507F83Dde59C206ec400719dF80D015D9D17B6
ETH0x884467182849bA788ba89300e176ebe11624C882
KAVAkava1emxzwjw84e0re7awgue9kp4gseesyqrttg69sm
SOL7j5bxiFPSsScScBEjLj9qud5Yc2CqXGmembX3hQBdFTd$
USDTTDJLMdJWPrKNMHuxgpQL8QPYgvdXTnWJao
XMR475WGyX8zvFFCUR9ufThrNRtJmzmU13gqH9GV2WgAjbR7FgRVCWzokdfVf2hqvRbDBaMzBm1zpDiBTpBgxLt6d7nAdEEhC4
XMR48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x
XRPrH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz
XRPrpzn8Ax7Kz1A4Yi8KqvzV43KYsa59SH2Aq
XTZtz1g6rcQAgtdZc8PNUaTUzrDD8PYuCeVj4mb
ZECt1XjiZx8EydDDRuLisoYyVifcSFb96a3YBj
ZILzil1aw3kyrymt52pq2e4xwzusdfce9e5tmewvshdrm

Leave a Reply