According to the latest reports from Avast, since the beginning of 2022, attacks using a malicious extension for the Google Chrome browser called "VenomSoftX", which steals the contents of the clipboard, have become more frequent. As the experts found out, this addon is part of the ViperSoftX JavaScript Trojan, which steals passwords and cryptocurrency.
It is known that ViperSoftX has been quietly existing since 2020, because the Trojan was previously reported by researchers from Cerberus and Colin Cowie. In addition, a separate report from Fortinet was dedicated to him.
And in a new report by Avast Threat Labs, experts revealed additional details about the functionality of the malware and the VenomSoftX extension. In addition, the report states that since the beginning of 2022, Avast specialists have detected and stopped about 93,000 ViperSoftX infection attempts. The main part of the infected users was in the USA, Italy, India and Brazil.
ViperSoftX's main distribution channel is cracked torrent files for games and paid software activators. The attackers' crypto wallet addresses are hard-coded in the ViperSoftX and VenomSoftX samples. In total, there were two such wallets, at the time of November 8, 2022, they stored 130 thousand dollars. The key feature of ViperSoftX is the installation of the VenomSoftX addon for Chrome, Brave, Edge and Opera browsers. The extension masquerades as the supposedly useful application "Google Sheets 2.1".
VenomSoftX is known to be able to modify the HTML code on websites and redirect cryptocurrency transactions to the wallets of malware operators. In addition to the currency itself, the Trojan can easily steal user passwords. In addition, the extension is capable of intercepting API requests to crypto services in order to collect information about the victim's assets.