Threat actors behind the sophisticated malware called ViperSoftX have evolved their distribution methods and now disguise the malware as eBooks delivered via torrents, according to a new report from cybersecurity firm Trellix.

First spotted in 2020, ViperSoftX has undergone several iterations, with each version becoming more complex and advanced. Initially, the malware spread mainly through cracked software, luring users with pirated applications that secretly installed the malware.

A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, creating a PowerShell environment within AutoIt for operations, the report explains. “By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity.”

The attack begins when users download an eBook from a malicious torrent link, believing they are obtaining a legitimate file. However, concealed within the downloaded RAR file are several threats, including a hidden folder, a deceptive shortcut file masquerading as a harmless PDF, a PowerShell script, AutoIt.exe, and an AutoIt script disguised as JPG files.

The hidden folder contains files identical to those in the current folder, except for a PDF or eBook document that serves as a decoy. When the user executes the shortcut file, it initiates a command sequence that starts by listing the contents of “zz1Cover4.jpg.” It then reads each line from this file and executes them as commands in the Command Prompt, automating the execution of multiple malicious commands without direct user interaction.

This method allows for streamlined and automated execution of commands. The LNK file executes zz1Cover4.jpg, which contains a PowerShell code within blank spaces, spread with several process logs. This PowerShell code performs various actions, such as exposes the hidden folders, calculates the total size of all disk drives and uses that size as the file name for the AutoIt script and task name, configures Windows Task Scheduler, and copies files Windows directory.

Attackers employ AutoIt scripts to hide their malicious actions, using various obfuscation techniques to make analysis more challenging. Furthermore, threat actors adapt components from offensive security scripts, modifying only necessary elements to serve their malicious goals.