A new version of an already active malware is now shifting focus to target 1Password – in our view the best password manager for families – and KeePass.
ViperSoftX is an infostealer that has already been after crypto wallets, but its now attacking more of them, in addition to multiple web browsers – not just Google Chrome – and password managers as well.
It also has stronger code encryption now and is better at avoiding detection from antivirus tools.
New version
ViperSoftX can install the malicious Chrome extension VenomSoftX, but according to security researchers Trend Micro (opens in new tab), it can now also infect Microsoft Edge, Mozilla Firefox, Opera and Brave.
The malware was first discovered in 2020 stealing crypto currency using a JavaScript-based RAT (remote access trojan). By 2022, however, Avast (opens in new tab) found that it had advanced considerably in its capabilities, with the cybersecurity vendor claiming that it had stopped close to 100,000 attacks on its customers from the malware through most of last year. Most victims were based in the U.S., Italy, Brazil, and India.
It seems that now, however, ViperSoftX has extended its global reach, with Trend Micro detecting additional prominent activity in Australia, Japan, Taiwan, Malaysia and France. Enterprises and consumers alike are being targeted too. Analysts found that the malware is often hidden in software cracks and activators.
In addition to attacking many more crypto wallets now, the latest version of ViperSoftX has been found by Trend Micros to be scouring for files associated with 1Password and KeePass, and attempting to steal data related to their browser extensions.
An exploit tracked as CVE-2023-24055 does allow for stored passwords to be exported in a plain text file, but Trend Micro found now evidence that this is being used by ViperSoftX.
However, it told BleepingComputer (opens in new tab) that it could steal users’ vaults in the later stages of the attack, once the malware has taken hold and extracted data from the victim’s system and sent it to the threat actor.
More worringly, the new ViperSoftX uses DLL sideloading in order to be mistakenly recognized as a trusted process, thus remaining undetected by security software. It also checks to see if monitoring tools like VMWare or Process Monitor and antivirus software such as Windows Defender and ESET are present on the system before it it begins its processes.
It also uses byte mapping, a technique to encrypt its code in a way that makes it much harder to decrypt without having the correct map to do so.