Bookworms Beware: This Sneaky Malware Disguises Itself as E-Books
Researchers are warning readers about a new malware variant that masquerades as an e-book and is distributed via torrents.
Typically, malicious actors who share malware via torrents disguise the files as popular movies or as cracks for expensive commercial software. These are popular and allow attackers to spread the malware to a wider audience. E-books are not usually imitated in cybercrime because the files are quite specific.
However, cybersecurity researchers at Trellix say they have seen malware called ViperSoftX deployed in this manner. Users believe they are downloading an e-book, but the archive also contains a hidden folder and a Windows shortcut file. Executing the shortcut triggers the infection chain, resulting in the malware being deployed.
Information Thief and Remote Access Trojan
ViperSoftX is a type of malware that functions as an information stealer and a remote access trojan (RAT). It is designed to steal sensitive information such as login credentials, financial information, and other personal data from infected computers.
It was first spotted in the wild in late 2019 and has since evolved with various updates and modifications, making it a persistent threat to computer systems. Newer versions steal cryptocurrency wallet credentials from browser extensions, grab clipboard contents, and more.
“A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and execute PowerShell commands, creating a PowerShell environment within AutoIt for operations,” the researchers said, explaining how the malware remains stealthy. “By using CLR, ViperSoftX is able to seamlessly integrate PowerShell functionality, allowing it to perform malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity.”
While ViperSoftX was a powerful infostealer on its own, it also acted as a loader, helping attackers spread Quasar RAT and an infostealer called TesseractStealer, TheHackerNews defeated.