Bookworms beware — this sneaky malware disguises itself as ebooks

Best ereader
Kom igång med din digital läsning med en av de bästa läsplattorna från Amazon, Kobo och mer. (Image credit: TechRadar / Amazon)

Researchers have warned reading fans of a new malware strain disguising itself as eBooks, and being distributed via torrents.

Usually, threat actors sharing malware via torrents would disguise the files as popular movies, or cracks for expensive, commercial software, since these are popular and allow the attackers to distribute the malware to a wider cohort. eBooks are not usually impersonated in cybercrime due to the files being somewhat niche.

However, cybersecurity researchers from Trellix say they have observed malware known as ViperSoftX being shared this way. Users would think they are downloading an eBook, but the archive would also carry a hidden folder and a Windows shortcut file. Running the shortcut triggers the infection chain, which results in the deployment of the malware. 

Information stealer and remote access trojan

ViperSoftX is a type of malware that functions as an information stealer and a remote access trojan (RAT). It is designed to steal sensitive information, such as login credentials, financial information, and other personal data from infected computers. 

It was first spotted in the wild around late 2019, and has since evolved with various updates and modifications, making it a persistent threat to computer systems. Newer versions steal cryptocurrency wallet data from browser extensions, grabs clipboard content, and more.

"A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," the researchers said, explaining how the malware remains hidden. "By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity."

While a potent infostealer in its own right, ViperSoftX also served as a loader, helping threat actors distribute Quasar RAT and an infostealer called TesseractStealer, TheHackerNews reports. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS