ViperSoftX Malware Hidden in Cracked Software

Home/BOTNET, Exploitation, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/ViperSoftX Malware Hidden in Cracked Software

ViperSoftX Malware Hidden in Cracked Software

AhnLab Security Intelligence Center (ASEC) discovered a cyber attack targeting Korean users with ViperSoftX malware.

ViperSoftX Malware

The attackers, likely Arabic speakers, used cracked software and torrents to spread the malware, which hides as real programs. It’s still unclear how the malware first reaches users. However, Arabic comments in the PowerShell and VBS scripts used for communication suggest the attackers know Arabic well.

ViperSoftX pretends to be real software, tricking users into installing it through fake programs or torrent bundles.

After infection, the PowerShell downloader brings in two advanced malware: PureCrypter and Quasar RAT.

PureCrypter is a commercial .NET packer sold on underground forums since 2021. It uses Google’s ProtoBuf library to secretly communicate with its servers.

It also creates fake system files like “nvidia.exe” and “teamviewer.exe” in the %ALLUSERSPROFILE% folder to look real.

If these files are found, it runs them to carry out specific tasks, including:

VBS downloader

The final payload, Quasar RAT, is an open-source tool that gives attackers full control, including keylogging, running commands, and moving files.

It hides as legit programs with names like “winrar.exe” and “micro.exe” to avoid detection.

ASEC researchers said this attack uses advanced methods and shows signs of a well-funded threat group.

Indicators of Compromise (IoCs)

  • MD5 Hashes:
    • 05cbfc994e6f084f536cdcf3f93e476f
    • 4c6daef71ae1db6c6e790fca5974f1ca
    • 70e51709238385fd30ab427eb82e0836
    • 7d937e196962e3ebbbdee6d3a002f0cf
    • e5d6c58d17ebce8b0e7e089dfc60ff1a
  • IP Addresses:
    • 136.243.132.112: Possible C&C address
    • 65.109.29.234: C&C for Quasar RAT
    • 89.117.79.31: Primary C&C address

How to Stay Safe from This Threat

Monitoring the related IPs and file hashes can help detect and stop the attack early.

To protect yourself:

  • Don’t download software from untrusted sources like torrent sites.
  • Always use official or verified download methods.
  • Keep your antivirus updated and set to scan all downloads and installs.
  • Turn on real-time protection and heuristic scanning to catch unknown threats.

ASEC is closely watching this threat and has shared key details with the cybersecurity community to help defend against it.

Stay informed and follow strong cybersecurity habits to stay protected.

Post Views: 149
By | 2025-04-11T01:21:49+05:30 April 10th, 2025|BOTNET, Exploitation, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!