ViperSoftX Malware Expands Targets to Include Password Managers in Information Theft Scheme - 1

ViperSoftX Malware Expands Targets to Include Password Managers in Information Theft Scheme

  • Written by Ari Denial Cybersecurity & Tech Writer

The ViperSoftX malware, known for stealing information primarily related to cryptocurrencies, gained notoriety in 2022 for hiding malicious code within log files.

However, since its initial discovery in November, the malware has evolved to include the use of DLL sideloading for its arrival and execution, along with a more sophisticated encryption method of byte remapping and monthly rotation of command-and-control servers. This new update makes decryption and analysis of the shellcode more challenging for analysts, as the correct byte map is necessary for proper decryption.

Researchers from Trend Micro have recently reported that ViperSoftX, an information-stealing malware that was first discovered in 2020, has expanded its focus beyond just cryptocurrencies. The malware is now targeting additional cryptocurrency wallets and browsers such as Brave, Edge, Opera, and Firefox, as well as password managers.

The latest version of the malware also features stronger code encryption and new evasion techniques to bypass security software. According to Trend Micro’s analysis, the malware has affected both the consumer and enterprise sectors, with the majority of the victims located in the US, Japan, Italy, Taiwan, Australia, Malaysia, Taiwan, France, and India.

According to the analysts’ findings, the malware usually enters systems disguised as benign software such as software cracks, activators, or key generators.

Avast’s documentation of the version revealed that VenomSoftX had aimed for various cryptocurrency wallets such as Binance, eToro, Kucoin, Blockchain, Coinbase, Kraken, and Gate.io.

Trend Micro’s report highlights that ViperSoftX has become more concerning, as the malware is now targeting two password managers, specifically 1Password and KeePass 2, in an effort to extract sensitive data saved within their browser extensions.

The latest version of ViperSoftX includes anti-detection, anti-analysis, and stealth features such as DLL sideloading, virtualization and monitoring tool checks, byte mapping encryption, and a new communication blocker to avoid C2 infrastructure analysis and detection.

New Linux Malware Variants Used by Chinese Hackers for Spying - 2

New Linux Malware Variants Used by Chinese Hackers for Spying

  • Written by Ari Denial Cybersecurity & Tech Writer

Alloy Taurus, a Chinese nation-state group that has been known for targeting telecom companies since 2012, has been found to be using a Linux variant of a backdoor called PingPull and an undocumented tool called Sword2033.

The group had previously targeted telecom companies, has expanded its cyber espionage efforts to include government entities and financial institutions. The group is now utilizing a Linux version of the PingPull backdoor, a remote access trojan that relies on Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

Palo Alto Networks Unit 42 recently discovered the Linux variant, and in the process detected malicious cyber activity by the group against South Africa and Nepal. The group, which is also known as Granite Typhoon and was previously part of the Soft Cell operation that targeted Middle Eastern telecom providers, employs yrhsywu2009.zapto[.]org on port 8443 for C2 communications.

It is worth noting that PingPull’s analysis of the C2 instructions closely resembles that of China Chopper, a common web shell employed by Chinese threat actors. This indicates that the attacker may be adapting pre-existing source code to create their own customized tools. Additionally, a thorough investigation of the domain in question has uncovered another ELF artifact, Sword2033, which possesses three fundamental capabilities: uploading and extracting files to and from the system, as well as executing commands.

The malware’s link to Alloy Taurus comes from its association with an active Indicator of Compromise (IoC) in a 2021 campaign against companies in Southeast Asia, Europe, and Africa.

Unit 42 warns that the group’s targeting of South Africa, particularly during its joint naval exercise with Russia and China, shows that they remain a significant threat to telecommunications, finance, and government organizations in these regions. The discovery of a Linux variant of PingPull malware and the use of Sword2033 backdoor indicate that they continue to evolve their operations for espionage purposes.

To effectively combat this sophisticated threat, organizations must implement a comprehensive security strategy rather than relying solely on static detection methods.