"This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos"
A malicious extension for Chromium-based web browsers has been discovered to be distributed by ViperSoftX, a long-standing Windows information-stealer. The rogue browser add-on was dubbed VenomSoftX by a Czech-based cybersecurity firm due to the standalone features that allow it to access website visits, steal credentials, steal clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. Fortinet described ViperSoftX, which first surfaced in February 2020, as a JavaScript-based Remote Access Trojan (RAT) and cryptocurrency stealer. Sophos threat analyst Colin Cowie documented the malware's use of a browser extension to advance its information-gathering goals earlier this year. According to Avast researcher Jan Rubin, this multi-stage stealer has interesting hiding capabilities, such as hiding as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files. ViperSoftX specializes in cryptocurrency theft, clipboard swapping, fingerprinting the infected machine, and downloading and executing arbitrary additional payloads or commands. ViperSoftX is typically spread through the use of cracked software for Adobe Illustrator and Microsoft Office that is hosted on file-sharing sites. The downloaded executable file contains a clean version of the cracked software as well as additional files that enable persistence on the host and contain the ViperSoftX PowerShell script. Newer variants of the malware can also load the VenomSoftX add-on from a remote server into Chromium-based browsers like Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi. This is done by looking for LNK files for the browser applications and changing the shortcuts with a command line switch that points to the path where the unpacked extension is stored. According to Rubin, the extension attempts to disguise itself as well-known and widely used browser extensions such as Google Sheets. This article continues to discuss the distribution and capabilities of ViperSoftX malware.