ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information

by Prapattimynk, Thursday, 16 May 2024 (1 week ago)
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information


AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information.

The malware newly discovered this time utilizes the open-source OCR engine Tesseract. Tesseract extracts texts from images using deep learning techniques. The malware used in the attack reads images stored on the infected systems and extracts strings using the Tesseract tool. If the extracted strings contain any phrases related to passwords or cryptocurrency wallet addresses, the malware exfiltrates those images.

This post will briefly summarize the ViperSoftX malware that has been circulating for several years. It will focus primarily on the differences observed in the latest version and the malware types propagated by attackers using ViperSoftX since features like executing basic commands and stealing cryptocurrency wallet addresses already have detailed analysis materials available. The attackers are continuously using ViperSoftX installed on multiple systems to install more malware strains with notable examples being Quasar RAT and TesseractStealer.

1. ViperSoftX

ViperSoftX is a malware strain that can control infected systems and steal information, often distributed by being disguised as cracks or keygens for legitimate software. First identified by Fortinet in 2020, ViperSoftX installs both RAT malware strains capable of controlling infected systems and Infostealers designed to capture cryptocurrency wallet addresses [1].

In 2022, Avast reported a new activity related to ViperSoftX. Instead of using JavaScript, it employed PowerShell scripts and expanded its capabilities to include features such as changing clipboards and installing additional payloads in addition to stealing cryptocurrency wallet addresses. Furthermore, the malware utilized VenomSoftX to install malicious browser extensions on Chrome-based web browsers to steal information [2]. TrendMicro’s 2023 report covered the distribution methods of ViperSoftX, showing how routines were added to check if password managers like “KeePass 2” and “1Password” were installed compared to the previous versions [3].

2. ViperSoftX Involved in Malware Distribution

The recently distributed ViperSoftX is similar to the type disclosed by Fortinet in the past, as it transmits information about the infected system such as computer names, user names, installed security products, and cryptocurrency-related data. However, there are differences such as encrypting the User-Agent containing this information with the Base64 algorithm and using the keyword “Welcome_2025” instead of “viperSoftx”.

Figure 1. ViperSoftX’s User-Agent string

The attackers installed a dropper named “win32.exe” to update ViperSoftX. The dropper contains malware strains named “Svchost.exe” and “System32.exe” in its internal resources and ultimately registers a PowerShell script named “update.ps1” in the Task Scheduler.

Figure 2. A dropper installed during the update

“update.ps1” generates the actual ViperSoftX PowerShell script and registers it in the Task Scheduler. As a result, tasks named “Check system” and “Chromeniumscrypt” are created to execute “update.ps1” located in the paths %PROGRAMDATA% and %PUBLIC% respectively.

Unlike the past versions which supported six commands, the recent iteration of ViperSoftX features only three commands: “DwnlExe”, “Cmd”, and “SelfRemove”.

Figure 3. ViperSoftX’s main routine

In addition, there are also PowerShell scripts that download and execute external commands and VenomSoftX PowerShell scripts responsible for installing browser extension malware strains. The PowerShell scripts are registered in the Task Scheduler to run continuously on the system, ensuring they are updated regularly.

Figure 4. Downloader and VenomSoftX PowerShell scripts

Threat actors can utilize the installed ViperSoftX on the infected system to install additional malware, with cases confirming the installation of Quasar RAT or TesseractStealer.

3. Quasar RAT

Quasar RAT is an open-source RAT malware developed with .NET. Like most other RAT malware types, it provides system tasks like processes, files, and registries, and features such as remote command execution and the ability to download and upload files. It can also steal user environment information with its keylogging and account credentials collecting features and allow the attackers to take control of the infected system in real time via the remote desktop feature.

Figure 5. Quasar RAT’s features

The attackers have been distributing Quasar RAT using ViperSoftX, a practice that has been observed at least since July 2023. They seem to be distributing Quasar RAT to multiple infected systems in bulk rather than targeting specific individuals. Especially since March 2024, numerous cases of Quasar RAT installation have been consistently observed on a large number of systems.

Most of the Quasar RATs used in the attacks have no significant distinguishing features, but recently, cases utilizing the Tor network have also been identified. The malware installs the Tor web browser and then uses it as a proxy server to communicate with the C&C server. The actual C&C server address stored in the configuration information also uses an Onion domain.

Figure 6. Quasar RAT installing Tor
Figure 7. C&C Server using an Onion domain

4. TesseractStealer

The attackers installed an infostealer in addition to Quasar RAT. This post will refer to it as TesseractStealer. TesseractStealer utilizes the open-source OCR engine Tesseract, which supports a feature to extract texts from images using deep learning techniques [4].

Figure 8. Tesseract open-source project

TesseractStealer first creates the Tesseract (tesseract50.dll) and Leptonica (leptonica-1.82.0.dll) library files present in the resources and the training data file (eng.traineddata) along with the font file (pdf.ttf). It finds the image files existing in the system, specifically “.png”, “.jpg”, and “.jpeg” files, excluding those located in the “editor” directory.

Figure 9. A routine for generating files required for the image extraction process

Then it utilizes the installed Tesseract library to extract strings from each image file. It checks if the extracted strings contain the following strings. If those strings are present, it sends the image files to the C&C server.

Figure 10. A routine for inspecting strings in the image file
Figure 11. A routine for stealing matched images

The inspected strings are all related to OTPs, passwords required for recovery, cryptocurrency wallet addresses, and other similar strings. In other words, attackers seem to target users who store cryptocurrency wallet address or password information by capturing screenshots and saving them as image files, with the aim of stealing them. For example, the phrase “Your wallet generation seed is” is likely to target the seed phrase required during the generation of an Electrum wallet address. The attackers can use the stolen seed phrase to restore the wallet and steal the cryptocurrency.

Figure 12. The seed input window when creating a cryptocurrency wallet [5]

5. Conclusion

The recent activities of the ViperSoftX malware that controls infected systems and steals user information have been noticeably increasing. ViperSoftX is known to be primarily distributed by being disguised as cracks or keygens for legitimate applications and installs additional malware while persistently residing on the infected system. Recently, attackers have been using ViperSoftX to install Quasar RAT and TesseractStealer. TesseractStealer utilizes an image extraction tool called Tesseract to capture screenshots of the user’s image files, specifically targeting passwords and cryptocurrency-related screenshots.

Users should exercise caution when downloading executables from suspicious websites or file-sharing sites. It is strongly recommended to download programs such as tools and games only from their official websites. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Backdoor/Win32.QuasarRAT.R341693 (2020.06.27.06)
– Trojan/Win.Generic.C5440564 (2023.06.13.01)
– Trojan/Win32.Agent.C2862808 (2018.11.28.00)
– Trojan/Win32.RL_Downeks.C4069173 (2020.04.19.01)
– Infostealer/Win.Tesseract.R646594 (2024.04.29.02)
– Trojan/Win32.Subti.R285137 (2019.08.06.05)
– Trojan/PowerShell.ViperSoftX (2024.04.29.03)
– Downloader/Powershell.ViperSoftX.SC199376 (2024.04.29.02)
– Downloader/Powershell.ViperSoftX.S2677 (2024.05.03.03)
– Trojan/JOB.ViperSoftX.S2679 (2024.04.29.02)
– Trojan/JOB.ViperSoftX.S2680 (2024.04.29.02)

AMSI Detection
– Downloader/Powershell.ViperSoftX.SA2678 (2024.05.03.03)

Behavior Detection
– Malware/MDP.Inject.M2907
– Execution/MDP.Powershell.M1185
– Execution/MDP.Powershell.M1201

IoCs
MD5s

– f9bb6ef02f29f52ff126279ff7d044bb: ViperSoftX Dropper (win32.exe)
– bdd3d30ea4bc94d1240ea75f1aa212eb: ViperSoftX Installer (Svchost.exe)
– f52616c47b243f3373248ed2a5f49e1c: ViperSoftX Installer (System32.exe)
– c21b68dae810444cc013722e97b77802: ViperSoftX PowerShell Installer (update.ps1)
– d9a4b64d20c6860f12b6da0ecd53983a: ViperSoftX PowerShell (update.ps1)
– 4373f159c79da9ecf7a05b81868c3a97: ViperSoftX Downloader PowerShell
– 240766d7b6b936fad871ea1a7fefc141: VenomSoftX PowerShell (Decrypted)
– c00e53e8cbb5701157002091db4a2500: Quasar RAT – July 2023 (microsoft.exe)
– 3b20a80251740bb4443968cdd125b99d: Quasar RAT – July 2023 (csrss.exe)
– fffb28442b89e1387b30a40cbb211570: Quasar RAT – July 2023 (NVIDIA.exe)
– 66bdc2d36d460fb25bb2114f770d5ade: Quasar RAT – after March 2024 (powershells.exe)
– 06cba6b21f02f980f755da363dfc50a8: Quasar RAT – after March 2024 (dllhost.exe)
– 6987e127bc6c12fcb9f1876e8ecf64d1: Quasar RAT – after March 2024 (conhost.exe)
– 862d9a823ae99b9181b749ae66198bca: Quasar RAT – Tor, after March 2024 (java.exe)
– 4c96de9869538349c8daae65342ad94c: TesseractStealer (56cb4553-d33a-42b8-8d77-bb3f279f5191.x)

C&C Servers
– hxxp://mysystemes[.]com:80/connect: ViperSoftX PowerShell
– hxxp://xboxwindows[.]com/api/v1/: ViperSoftX DownLoader PowerShell
– bideo.duckdns[.]org:15: Quasar RAT (July 2023)
– bideo.duckdns[.]org:2: Quasar RAT (July 2023)
– bideo.duckdns[.]org:7: Quasar RAT (July 2023)
– mvps-remote.duckdns[.]org:103: Quasar RAT (after March 2024)
– youtubevideos.duckdns[.]org:5: Quasar RAT (after March 2024)
– win32updates.duckdns[.]org:1: Quasar RAT (after March 2024)
– x75tjpwatl2uyunijiq6jwqhlar3j5fkpi5optv7tfreijbpylwnnbqd[.]onion:8880: Quasar RAT (after March 2024)
– hxxps://22.rooz2024.workers[.]dev: TesseractStealer

Download URLs
– hxxps://www.uplooder[.]net/f/tl/92/fd73d54c0013b987b9f3b66d839975d9/csrss.exe: Quasar RAT
– hxxp://rooz2024[.]com/wfdfsgfsgdh/wfin.x: TesseractStealer

Reference Material
– Strings used for selecting target images for stealing

“if you have any problem with scanning the qr”,
“enable google authentication”,
“write down each word”,
“write down your secret phrase”,
“do not create a digital copy such as a screenshot”,
“write down or copy these words”,
“do not share your phrase to anyone”,
“you will be shown a secret phrase on the next screen”,
“your wallet generation seed is”,
“please save these 12 words”,
“write down this 12-word secret recovery”,
“Please write down the following words and keep them in a secure place”,
“Warning: Do not share these words with anyone. If lost, you might lose your funds”,
“Ensure you write these words in their order and store them offline”,
“These words are the key to recovering your wallet. Do not lose them”,
“If you lose access to your wallet, these words can be used for its recovery”,
“Do not store these words on your device or in an email. Use a piece of paper to note them down and keep it in a safe place”,
“Your seed phrase is the only way to restore your funds. Keep it private”,
“Never enter your seed phrase into any website or software you don’t trust”,
“Avoid storing your seed phrase electronically to minimize hacking risks”,
“If someone gets access to your seed phrase, they have access to your funds”,
“Always double-check and verify your seed words before finalizing”,
“Lost seed phrases cannot be recovered by us or anyone else”,
“For added security, consider storing multiple physical copies of your seed phrase in different locations”,
“Never disclose your seed phrase, even to support or staff members”,
“Do a regular check to ensure you still have access to your seed phrase”,
“Using a passphrase in conjunction with your seed phrase can provide an extra layer of security”,
“Remember, your funds are as safe as your ability to keep your seed phrase secure”,
“It’s your responsibility to ensure the confidentiality of your seed phrase”

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.