Table of Contents
Google Chrome is a popular open-source browser used to access the internet and run multiple web applications; It is one of the most trustable browsing platforms all around the world. Even so, there are multiple attacks targeting google chrome, as it is the best place to steal credentials or other sensitive information.
In this article, we will discuss one of the wildly exploited attacks where the Google chrome extension was seen used as a cryptocurrency stealer, ViperSoftX Malware. Let’s see what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware.
What is a google chrome extension? Are they safe?
A google chrome extension is nothing but a software program that enhances user experience by providing customized features. Chrome extensions are built on web technologies such as CSS, HTML, and JavaScript.
A vast majority of extensions are considered safe however the concern is when it comes to permission, as it can access sensitive and critical information. They can be a potential attack vector if not managed correctly. Let’s look into one such case.
What is VipersoftX Malware?
ViperSoftX is a Windows malware that deploys a Google Chrome extension named ‘VenomSoftX’. This is an information stealer malware with very interesting obfuscation capabilities. ViperSoftX is a JavaScript-based RAT (remote access trojan), it was initially observed in the early 2020s, but these malwares have grown extensive and is being actively exploited recently.
ViperSoftX is mostly distributed via cracked software like Microsoft Office, Adobe illustrator, etc. These are also spread via torrent downloads. Only windows users have been impacted so far.
Recent Campaign Activity – Victims of ViperSoftX Malware Campaign
As per Avast, they have protected more than 93,000 users from this malware. This malware is distributed all around the world, mostly via torrent files or software-sharing sites. The most impacted countries are India (7,000+), the USA (6,000+), and Italy (5,000+).
Impacted countries since the beginning of 2022 Source: Avast
As of 8th November 2022, a total of $130,421.56 have been stolen by ViperSoftX and VenomSoftX from stolen cryptocurrencies. The below table shows an estimate of attacker earnings from multiple cryptocurrency wallets.
| Cryptocurrency | Earnings in cryptocurrency | ~Earning in USD |
| Bitcoin | 5.947 BTC | $116,812.81 |
| Ethereum | 5.312 ETH | $7,826.13 |
| Dogecoin | 34,355.528 DOGE | $3,474.47 |
| Bitcoin Cach | 9.11997194 BCH | $1,021.39 |
| Cosmos (ATOM) | 65.153 ATOM | $846.44 |
| Tezos | 191.445553 XTZ | $241.32 |
| Dash | 4.72446445 DASH | $199 |
Source: Avast
How Does ViperSoftX Malware Campaign Work?- Attack Flow
This section is more focused on how ViperSoftX Malware is misused as a Cryptocurrency Stealing Google Chrome extension.
ViperSoftX pretends to be a cracked software as the victim downloads it. This malware is commonly named patch.exe or activator.exe. Activator.exe is the loader that decrypts data from itself using AES, the decrypted loader reveals five different files:
ViperSoftX PowerShell payload hidden as a log file
XML file (task scheduler)
A schedule task is created, and persistence is established using the VBS file
Cracked application binary
manifested file
The log file will usually be more than 5 MB and contains a single malicious line of code. This file will be stored under different names such as “driver” or “log” or a “text” file.
ViperSoftX malware is very skilled in hiding itself. Before executing the payload, it is protected by 8 layers of code obfuscation. 3 major types of obfuscation techniques used are:
AES decryption: this will be the first layer
Converting char arrays: usually, the 3rd layer and has a simple functionality of calculating a hard coded array of characters.
UTF8 Decoding: this contains multiple code snippets, this type of decoding is the most recurring DE obfuscation layer
ViperSoftX achieves persistence by creating a copy of itself in %APPDATA%. The attacker also tries to make it look trustable by using legitimate names such as vpn_port.dll, and install.sig etc. The malware also drops another script file and creates a shortcut in the startup directory to invoke it. This is a VBS script file that later executes ViperSoftX.
Features of ViperSoftX Malware
The primary features of ViperSoftX include the following,
Stealing cryptocurrency
Fingerprinting the infected machine
Computer name and Username
OS information and its architecture
Any antivirus or other security software Installed and whether the solution is active or not.
Clipboard swapping
Command execution
Downloading and executing payloads
As we already mentioned, one of the critical payloads used by ViperSoftX is the chromium-based browser extension VenomSoftX. This extension has multiple unique features which provide complete access to every website the victim visit. It also could execute man-in-the-browser attacks to steal cryptocurrency by tampering with crypto addresses (API request tampering) on popular cryptocurrency exchanges. The stolen information and fingerprint are concatenated into one string, further encoded by base 64, and is shared with the hardcoded C&C server.
ViperSoftX scans the copied clipboard text content using predefined regular expressions, and if the expression matches any configured wallet address, the malware replaces the content with the attacker address notification to command and control. This is done in the X-notify HTTP header in the below format ‘Cryptocurrency type – victim’s address – attacker’s address.’
The attacker hides the malware as a chrome browser extension masqueraded as “Google Sheets 2.1” which is supposed to be a google productivity app.
Malicious extension (Credits: Avast)
ViperSoftX as a RAT (Remote Access Trojan)
ViperSoftX also provides RAT functionalities such as executing arbitrary commands downloading arbitrary payloads and executing itself, removing itself entirely from the system, etc. The malware can create an infinite loop and execute commands after every 3 seconds of sleep.
ViperSoftX passes information to the CNC server via the HTTP header, Where it provides OS information, computer name, username, etc. The commands implemented by ViperSoftX are:
| Name | Description | Parameters |
| Ex | Executes JS code using eval(). | 1. JavaScript code |
| Cmd | Runs a command through cmd.exe. | 1. Command line |
| DwnlExe | Runs a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload. | 1. URL to download the file from 2. Path to save the file to |
| DwnlOnly | Downloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe. | 1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop 4. Boolean flag that indicates whether to also execute the file |
| SelfRemove | Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory. | |
| UpdateS | Removes all persistence for the current version and executes the new downloaded JS file. | 1. URL to download the file from 2. Path to save the file to |
Source: Fortinet
As observed by Fortinet, the malware author continue to use multiple JavaScript-based payloads. This shows that the developer is more comfortable using JavaScript as his preferable programming language.
How to protect from ViperSoftX Malware?
JavaScript-based malware are on trend now, and the obfuscation capability of this malware is amazing. While the functionality is simple. If closely monitored, VipersoftX Malware can be detected easily, as it uses plaintext communication using a header, as it will stand out from regular traffic.
Any communication with the IOCs mentioned should be monitored closely to avoid damage to the organization.
Indicator of Compromise (IOC) of ViperSoftX Malware
SHA256 –
65cb35d1b09097aa64b89062a060b3bb680bc4c962ff116f32edf92735f401eb
4bb342c21ff563454d2fdc25eb3e63731d06d20c1fca2522061ad1ef38a53c89
391e4b6ffb90303547d20baaa5695f2c0191f5461bb20cb885e170dd019e017c
9e63d2ac3dc280a25c27a126752fdde1c8c5a0c4b4990f479a44dd8441b22ab3
ViperSoftX
| File name | SHA256 |
| Activator.exe | e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a |
| Hidden log script first variant | 0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2 |
| Hidden log script second variant | 0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f |
| ViperSoftX PowerShell | 23b9075dac7dbf712732bb81ecd2c21259f384eb79ae8fdebe29b7c5a12d0519 |
| ViperSoftX’s browser installer | 5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add |
VenomSoftX
| File name | SHA256 |
| content.bootstrap.js | 3fe448df20c8474730415f07d05bef3011486ec1e070c67683c5034ec76a2fcb |
| manifest.json | 0de9a23f88b9b7bda3da989dce7ad014112d88100dceaabca072d6672522be26 |
| rules.json | 1d6845c7b92d6eb70464a35b6075365872c0ae40890133f4d7dd17ea066f8481 |
| webpack_block.js | 7107ab14a1760c6dccd25bf5e22221134a23401595d10c707f023f8ca5f1b854 |
| webpack_bnb.js | ddee23e2bfd6b9d57569076029371e6e686b801131b6b503e7444359d9d8d813 |
| webpack_cb.js | 947215a1c401522d654e1d1d241e4c8ee44217dacd093b814e7f38d4c9db0289 |
| webpack_common.js | 7b75c1150ef10294c5b9005dbcd2ee6795423ec20c512eb16c8379b6360b6c98 |
| webpack_content.js | d7dfc84af13f49e2a242f60804b70f82efff7680cddf07f412667f998143fe9c |
| webpack_gt.js | 4da1352e3415faa393e4d088b5d54d501c8d2a9be9af1362ca5cc0a799204b37 |
| webpack_kuc.js | 705deecbbb6fd4855df3de254057c90150255c947b0fb985ea1e0f923f75a95f |
C&C communication
api.private-chatting[.]com
apps-analyser[.]com
wmail-blog[.]com
wmail-service[.]com
seko[.]vipers[.]pw
MITRE Techniques
T1027 (Obfuscated Files or Information)
T1059.001 (PowerShell)
T1059.007 (JavaScript)
T1115 (Clipboard Data)
T1140 (Deobfuscate/Decode Files or Information)
T1176 (Browser Extensions)
T1189 (Drive-by Compromise)
T1204.002 (Malicious File)
T1496 (Resource Hijacking)
List of wallet addresses
| Cryptocurrency | Address |
| ADA | addr1q9c27w7u4uh55sfp64ahtrnj44jkthpe7vyqgcpt73z9lrq7fw3juld8k2ksz2p82tv45j8yc5wzqmr4ladxyt0vjxrsf33mjk |
| ATOM | cosmos1mcah8lel6rxhlqsyrzpm8237cqcuzgyw70nm6f |
| BNB | bnb1u64a2n3jhw4yh73s84rc58v8wxrwp7r8jwakpr |
| BNB | bnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq |
| BTC | 1L8EBHDeiHeumtcpcroaxBceXnWFiYU5dh |
| BTC | 1PRMMQgM65KDtMTryu9ccpeAgUmKqDrE9M |
| BTC | 1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX |
| BTC | 32Wx3dsHCCxyJZLwseFYkgeFqVk16tCCcF |
| BTC | 3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP |
| BTC | bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp |
| BTC | bc1qxgz2g8kn2kg0wqqrmctyxu5n925pnwphzlehaw |
| BTC | qq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a |
| BTC | qqh3g98z60rdl05044xxt7gkgncezmdfy5tja99z53 |
| DASH | XdxTmTFuHrcHnQQhfweAnHtExFB5BXmU1z |
| DASH | Xtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng |
| DOT | 122zNSYNN2TSR2H5wBCX16Yyvq7qLFWo1d6Lvw2t9CNxMxt1 |
| DOGE | DDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq |
| DOGE | DUUNTm23sVwLyiw27WW9ZPT9XfiWhB1Cvf |
| ETH | 0x9d787053f9839966A664b0e14e9C26a3684F6E44 |
| ETH | 0x12507F83Dde59C206ec400719dF80D015D9D17B6 |
| ETH | 0x884467182849bA788ba89300e176ebe11624C882 |
| KAVA | kava1emxzwjw84e0re7awgue9kp4gseesyqrttg69sm |
| SOL | 7j5bxiFPSsScScBEjLj9qud5Yc2CqXGmembX3hQBdFTd$ |
| USDT | TDJLMdJWPrKNMHuxgpQL8QPYgvdXTnWJao |
| XMR | 475WGyX8zvFFCUR9ufThrNRtJmzmU13gqH9GV2WgAjbR7FgRVCWzokdfVf2hqvRbDBaMzBm1zpDiBTpBgxLt6d7nAdEEhC4 |
| XMR | 48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x |
| XRP | rH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz |
| XRP | rpzn8Ax7Kz1A4Yi8KqvzV43KYsa59SH2Aq |
| XTZ | tz1g6rcQAgtdZc8PNUaTUzrDD8PYuCeVj4mb |
| ZEC | t1XjiZx8EydDDRuLisoYyVifcSFb96a3YBj |
| ZIL | zil1aw3kyrymt52pq2e4xwzusdfce9e5tmewvshdrm |
We hope this article helped in understanding what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
