CUJO AI Monitors ViperSoftX Malware Threats
/ 4 min read
Quick take - CUJO AI’s Security Research Lab is investigating the advanced persistent threat ViperSoftX malware, which utilizes sophisticated techniques such as domain generation algorithms and stealthy communication methods to evade detection and facilitate cyberattacks, particularly through pirated software.
Fast Facts
- CUJO AI’s Security Research Lab is monitoring the advanced persistent threat (APT) known as ViperSoftX, which spreads primarily through pirated software and key generators.
- ViperSoftX utilizes Domain Generation Algorithms (DGA) to create fake domains, complicating detection by blending malicious HTTP queries with legitimate traffic.
- The malware operates in multiple stages, including DNS resolution for malicious domains, HTTP-based communication for payload retrieval, and credential harvesting.
- Recent developments include a PowerShell script that stealthily redirects DNS queries to maintain command and control (C2) communication while appearing legitimate.
- CUJO AI employs strategies to disrupt ViperSoftX’s operations, such as blocking malicious domains and monitoring for suspicious URI patterns and IP addresses.
CUJO AI Monitors ViperSoftX Malware Threat
CUJO AI’s Security Research Lab has been actively monitoring sophisticated cyber threats, with a particular focus on the ViperSoftX malware. This malware is classified as an advanced persistent threat (APT).
Detection and Analysis
The initial detection of ViperSoftX was triggered by a notable spike in activity within machine learning systems. These systems identified tens of thousands of newly created fake domains embedded in malicious HTTP headers, generated using Domain Generation Algorithms (DGA). This prompted further investigation into the command and control (C2) infrastructure associated with this malware. The analysis revealed consistent URI patterns and specific domain naming conventions, linking the suspicious activities to the ViperSoftX malware family.
The initial payload of ViperSoftX initiates a DNS resolution process for a malicious domain, dynamically generated from preconfigured word lists. Furthermore, the malware crafts malicious HTTP queries that blend in with legitimate network traffic, making detection particularly challenging. ViperSoftX predominantly spreads through pirated software, cracks, and key generators, tricking users into inadvertently downloading the malware.
Multi-Stage Operation
Upon execution, the malware enters a multi-stage operation. In the second stage, it utilizes two methods for retrieving subsequent payloads: HTTP-based communication and DNS TXT record retrieval. The HTTP-based method generates up to 50 potential C2 domains and constructs HTTP requests with custom headers. The DNS TXT record retrieval method queries dynamically generated domains for encrypted data fragments, which are then processed locally.
In the third stage, ViperSoftX establishes direct communication with a disposable C2 domain, often protected by Cloudflare, complicating efforts to trace its activity. The malware generates a unique identifier based on system-specific data to facilitate this connection. The fourth stage focuses on advanced communication and data gathering, specifically targeting credential harvesting, cryptocurrency wallet identification, system analysis, and network communication analysis.
The fifth and final stage involves hands-on interaction by the threat actor, targeting high-value systems based on previously gathered intelligence. This allows the attacker to exfiltrate funds, steal sensitive data, and conduct lateral movements within the compromised network.
Countermeasures and Recent Developments
To counter the ViperSoftX threat, CUJO AI employs strategies aimed at disrupting its communication channels and operational foothold. Key disruption efforts include blocking HTTP connections and DNS resolutions for known malicious domains, detecting and blocking specific URI patterns, and monitoring related IP addresses. Continuous monitoring of update channels is crucial for detecting attempts to receive new payloads.
Recent developments in the ViperSoftX operation include a PowerShell script that stealthily overrides the legitimate Resolve-DnsName function. This script redirects DNS queries to maintain C2 communication without altering its initial payload. The redirection mechanism scans for specific prefixes in domain names and alters them using a predefined list, integrating with legitimate commands to maintain normal DNS query functionality while applying the redirection.
The adaptability and resourcefulness of ViperSoftX pose significant challenges for cybersecurity defenders. Continuous monitoring and proactive intervention by security solutions are essential to complicate operations for these attackers and safeguard networks against such sophisticated threats.
Original Source: Read the Full Article Here
