ViperSoftX malware covertly runs PowerShell using AutoIT scripting

The latest variants of the ViperSoftX info-stealing malware use the common language runtime (CLR) to load and execute PowerShell commands within AutoIt scripts to evade detection.

CLR is a key component of Microsoft’s .NET Framework, serving as the execution engine and runtime environment for .NET applications.

ViperSoftX uses CLR to load code within AutoIt, a scripting language for automating Windows tasks that are typically trusted by security solutions.

In addition, researchers found that the developer of the malware incorporated modified offensive scripts in the latest versions to increase sophistication.

Infection chain

ViperSoftX has been around since at least 2020 and it is currently distributed on torrent sites as ebooks that deliver malicious RAR archives with a decoy PDF or ebook file, a shortcut (.LNK) file, and PowerShell and AutoIT scripts disguised as JPG image files.

Files in the RAR archive
Source: Trellix

Malware researchers at cybersecurity company Trellix say that the infection starts when victims execute the .LNK file. During the process, it loads the PowerShell script that hides within blank spaces commands that are automatically executed in the Command Prompt.

The PS script moves to the %APPDATA%MicrosoftWindows directory two files (zz1Cover2.jpg and zz1Cover3.jpg). One of them is the executable for AutoIt and renamed AutoIt3.exe.

To maintain persistence, the same script configures the Task Scheduler to run AutoIt3.exe every five minutes after the user logs in.

Scheduled tasks added by ViperSoftX
Source: Trellix

Stealthy operation

By using CLR to load and execute PowerShell commands within the AutoIt environment, ViperSoftX seeks to blend into legitimate activities on the system and evade detection.

This is possible because despite AutoIT not supporting .NET CLR natively, users can define functions that allow invoking PowerShell commands indirectly.

ViperSoftX uses heavy Base64 obfuscation and AES encryption to hide the commands in the PowerShell scripts taken from the image decoy files.

The malware also includes a function to modify the memory of the Antimalware Scan Interface (AMSI) function (‘AmsiScanBuffer’) to bypass security checks on the scripts.

ViperSoftX attack flow
Source: Trellix

For network communication, ViperSoftX uses deceptive hostnames like ‘security-microsoft.com. To stay under the radar, system information is encoded in the Base64 format and the data is delivered via a POST request with a content length of “0.” In doing so, the threat actor again tries to avoid attention due to the lack of body content.

The objective of ViperSoftX is to steal the following data from compromised systems:

System and hardware details
Cryptocurrency wallet data from browser extensions like MetaMask, Ronin Wallet, and many others
Clipboard contents

ViperSoftX checking the browser extensions
Source: Trellix

Trellix says that ViperSoftX has refined its evasion tactics and has become a bigger threat. By integrating CLR to execute PowerShell inside AutoIt, the malware manages to run malicious functions while evading security mechanisms that typically catch standalone PowerShell activity.

The researchers describe the malware as a sophisticated and agile modern threat that can be thwarted with “a comprehensive defense strategy that encompasses detection, prevention, and response capabilities.”