{"id":17744,"date":"2020-02-14T14:40:06","date_gmt":"2020-02-14T22:40:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/02\/14\/news-11477\/"},"modified":"2020-02-14T14:40:06","modified_gmt":"2020-02-14T22:40:06","slug":"news-11477","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/14\/news-11477\/","title":{"rendered":"ViperSoftX – New JavaScript Threat"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat Analysis<\/p>\n

Affected Platforms:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Windows
Impacted Users: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Any Windows users
Threat Severity: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 High \u2013 allows the attacker to gain remote access.<\/p>\n

Recently, FortiGuard Labs, leveraging the FortiEDR endpoint protection platform, detected and blocked a new and highly obfuscated malicious malware in a large OT environment. This newly discovered JavaScript-based Remote Access Trojan (RAT) and cryptocurrency stealer, which we have dubbed \u201cViperSoftX\u201d (due to a hardcoded string used by its creator), became notably active towards the end of 2019, and remains so as of the time of this writing. In this blog post we will analyze the tactics, techniques, and procedures (TTPs) used by this new discovered threat along with details on the campaign we uncovered that uses this new malware. <\/p>\n

Obfuscation<\/h2>\n

ViperSoftX unravels\u00a08 layers<\/b>\u00a0of code obfuscation before executing its actual payload. There are 3 different types of obfuscation techniques being employed:<\/p>\n

    \n
  1. AES Decryption:<\/u>\u00a0This is only used in the first layer. The author copy-pasted chunks of code that implements the AES algorithm from the widely used\u00a0CryptoJS<\/a>\u00a0library. Every sample has a different hardcoded AES key.<\/li>\n
  2. Converting Char Arrays:<\/u>\u00a0This method executes only once as well, usually at the third layer, and has the simple functionality of evaluating a hardcoded array of characters.<\/li>\n
  3. UTF8 Decoding:<\/u>\u00a0This method is the most recurring deobfuscation layer. It contains code snippets most likely copied from the online\u00a0<\/span>Web Toolkit<\/a>\u00a0to perform UTF-8 decoding.\u00a0<\/span><\/li>\n<\/ol>\n

    Another effective method used to thwart the analysis of this malware is appending a non-ascii character at the end of the script, which results in encoding exceptions in most of the existing debuggers and basic deobfuscation methods.<\/p>\n

    Persistency<\/h2>\n

    ViperSoftX starts by placing a copy of itself under\u00a0%APPDATA%<\/i>. The author attempts to disguise the malicious script by using seemingly legitimate names such as vpn_port.dll, reg.converter.sys, install.sig,\u00a0<\/i>and\u00a0install.db<\/i>.<\/p>\n

    To establish persistency, the malware drops another script file under\u00a0%APPDATA%<\/i>\u00a0and creates a shortcut in the startup directory to invoke it. The dropped script is a VBScript file, which in turn, executes ViperSoftX:<\/p>\n<\/p><\/div>\n

    \n
    \n

    Set WshShell = WScript.CreateObject(“””WScript.Shell”””)<\/span><\/p>\n

    Obj = WshShell.Run(“””wscript.exe \/E:jscript “””[PATH TO THE JS FILE]”””<\/span><\/p>\n

    Set WshShell = Nothing<\/span><\/p>\n

    Figure 1: Dropped VBScript<\/span><\/em><\/strong><\/p>\n<\/div><\/div>\n

    \n

    RAT Functionality<\/h2>\n

    After establishing persistency, ViperSoftX queries the C&C server to fetch a command for execution. It does so in an infinite loop, and following each command execution it sleeps for 3 seconds.<\/p>\n

    The requests are sent in plain-text via HTTP PUT request to\u00a0hxxp:\/\/seko[.]vipers[.]pw:8880\/connect.<\/b><\/p>\n<\/p><\/div>\n