This vicious new malware version is now targeting password managers

News
By
published

1Password and KeePass are the new targets

Conceptual art of a computer system being hacked.
(Image credit: Getty Images)

A new version of an already active malware is now shifting focus to target 1Password - in our view the best password manager for families - and KeePass.

ViperSoftX is an infostealer that has already been after crypto wallets, but its now attacking more of them, in addition to multiple web browsers - not just Google Chrome - and password managers as well. 

It also has stronger code encryption now and is better at avoiding detection from antivirus tools. 

New version

ViperSoftX can install the malicious Chrome extension VenomSoftX, but according to security researchers Trend Micro, it can now also infect Microsoft Edge, Mozilla Firefox, Opera and Brave. 

The malware was first discovered in 2020 stealing crypto currency using a JavaScript-based RAT (remote access trojan). By 2022, however, Avast found that it had advanced considerably in its capabilities, with the cybersecurity vendor claiming that it had stopped close to 100,000 attacks on its customers from the malware through most of last year. Most victims were based in the U.S., Italy, Brazil, and India.

It seems that now, however, ViperSoftX has extended its global reach, with Trend Micro detecting additional prominent activity in Australia, Japan, Taiwan, Malaysia and France. Enterprises and consumers alike are being targeted too. Analysts found that the malware is often hidden in software cracks and activators. 

read more

> Password manager hacked to launch wide-ranging cyberattack against businesses worldwide

> Hackers might be able to crack this top password manager and steal your logins

> LastPass confirms hackers had access to internal systems for several days

In addition to attacking many more crypto wallets now, the latest version of ViperSoftX has been found by Trend Micros to be scouring for files associated with 1Password and KeePass, and attempting to steal data related to their browser extensions. 

An exploit tracked as CVE-2023-24055 does allow for stored passwords to be exported in a plain text file, but Trend Micro found now evidence that this is being used by ViperSoftX.

However, it told BleepingComputer that it could steal users' vaults in the later stages of the attack, once the malware has taken hold and extracted data from the victim's system and sent it to the threat actor.

More worringly, the new ViperSoftX uses DLL sideloading in order to be mistakenly recognized as a trusted process, thus remaining undetected by security software. It also checks to see if monitoring tools like VMWare or Process Monitor and antivirus software such as Windows Defender and ESET are present on the system before it it begins its processes.

It also uses byte mapping, a technique to encrypt its code in a way that makes it much harder to decrypt without having the correct map to do so.

Lewis Maddison
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.