Researchers have warned book fans about a new strain of malware that disguises itself as e-books and is distributed via torrents.
Typically, threat actors sharing malware via torrents disguise the files as popular movies or cracks for expensive commercial software, as these are popular and allow attackers to distribute the malware to a wider group. E-books are generally not spoofed in cybercrimes because the files are somewhat specific.
However, cybersecurity researchers at Trellix say they have observed a malware known as ViperSoftX being shared in this way. Users would think they are downloading an e-book, but the file would also include a hidden folder and a Windows shortcut file. Running the shortcut triggers the infection chain, resulting in the malware being deployed.
Information stealer and remote access Trojan
ViperSoftX is a type of malware that functions as an information stealer and a remote access trojan (RAT). It is designed to steal sensitive information such as login credentials, financial information, and other personal data from infected computers.
It was first detected on the network in late 2019 and has since evolved with several updates and modifications, making it a persistent threat to computer systems. Newer versions steal cryptocurrency wallet data from browser extensions, obtain clipboard content, and more.
“A notable aspect of the current ViperSoftX variant is that it uses the Common Language Runtime (CLR) to dynamically load and execute PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations,” the researchers stated, explaining how the malware remains hidden. “By using the CLR, ViperSoftX is able to seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag independent PowerShell activity.”
While a powerful information stealer on its own, ViperSoftX also served as a loader, helping threat actors distribute Quasar RAT and an information stealer called TesseractStealer. Hackers News reports.
