Prague, Czech Republic, November 21, 2022 — Researchers from Avast, a global leader in digital security and privacy, published an in-depth analysis of ViperSoftX today. ViperSoftX is an information stealer primarily used to steal cryptocurrencies. The information stealer often installs a browser extension, Avast researchers named VenomSoftX, to gain full access to Chromium browsers. ViperSoftX is mainly spread via cracked software versions of Adobe Illustrator, Corel Video Studio, and Microsoft Office commonly distributed using torrents. Avast blocked more than 93,000 ViperSoftX infection attempts globally since January 2022. The top three countries in which Avast blocked ViperSoftX are India, the United States, and Italy, where Avast protected more than 7,000, 6,000 and 5,000 customers.

“We estimate the cybercriminals behind ViperSoftX stole more than $130,000* in cryptocurrencies, stealing Bitcoins, Ethereum, Dogecoins, Bitcoin Cach, Cosmos (ATOM), Tezos, and Dash,” said Jan Rubin, malware researcher at Avast. “When people download cracked versions of software, they intend to save money, but all too often they end up losing money. Oftentimes, we see malware disguised as cracked software, and we recommend people to be wary of this and stick to the official software versions. In this case, instead of downloading the desired software, people download an executable file named ‘Activator.exe’ or ‘Patch.exe’, and upon execution, their computers become infected with the information stealer.”

ViperSoftX’s Stealing Capabilities

ViperSoftX is capable of stealing information related to the infected device, including computer name, username, details about the operating system and its architecture, and if the device runs active antivirus software. ViperSoftX steals cryptocurrencies stored locally on the infected device in cryptocurrency software and browser extensions and monitors the clipboard for cryptocurrency wallet addresses to perform clipboard swapping.

Furthermore, the information stealer logs cryptocurrency and other financial applications.

ViperSoftX scans clipboard content to detect wallet addresses. If a wallet address is detected, the malware replaces the clipboard content with the attacker's address, sending the money directly to the cybercriminal’s account. Cryptocurrencies the information stealer steals include: BTC, BCH, BNB, ETH, XMR, XRP, DOGE, and DASH.

Additionally, the stealer has remote access Trojan (RAT) functionalities and can therefore execute arbitrary commands on the command line, download additional payloads provided by the C&C server, and can remove itself from the infected system.

VenomSoftX browser extension stealing capabilities

The malicious extension, VenomSoftX, that ViperSoftX silently installs provides attackers with full access to victims’ browsers, like Chrome, Edge, Brave, and Opera. VenomSoftX disguises itself as well-known browser extensions, like Google Sheets. The extension hooks API requests on some of the most popular crypto exchanges, like Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin. When an API is called to send or withdraw cryptocurrencies, the VenomSoftX extension tampers with the request to redirect all the cryptocurrencies in the victims’ account to the attackers’ account. This method works at a lower level than common clipboard swapping, making it very difficult to detect. The extension is also capable of stealing crypto exchange passwords.

Avast One helps protect people from ViperSoftX and VenomSoftX.

The full analysis of ViperSoftX can be found on the Avast Decoded blog.

*As of November 8, 2022