Ransomware Attack Spreads to UK and US Businesses via ViperTunnel Malware
ViperTunnel Malware
The ViperTunnel malware has been discovered to have infiltrated the networks of several UK and US businesses.
- Infiltration dates back to late 2023
- Purpose: Establishing long-term access to systems and selling access to ransomware groups
Discovery and Development
Researchers identified ViperTunnel during a response to a DragonForce ransomware attack.
- Suspicious scheduled task: “523135538” on Windows machines
- “sitecustomize.py” file in C:\ProgramData\cp49s\Lib loaded automatically when Python interpreter started
According to researchers, the backdoor was disguised as a system file named “b5yogiiy3c.dll,” which is actually a Python script masquerading as a system library.
Execution and Detection
The script uses ctypes to invoke Python C API functions, identifying whether it is running alone or as part of a larger task.
- Creates a SOCKS5 proxy through port 443
- Stolen data difficult to detect in regular traffic
Attribution and Improvement
Evidence suggests that ViperTunnel is the work of UNC2165, a group closely linked to the notorious EvilCorp.
- Used in conjunction with ShadowCoil, a credential-stealing tool targeting Chrome, Firefox, and Edge
- Improved over time, transitioning from a messy codebase in December 2023 to a professional tool with a modular design using three components: Wire, Relay, and Commander
Concerns and Future Developments
A notable discovery was a new check for TracerPid in Linux system files, raising concerns that hackers might be developing a version for Linux servers to create a cross-platform framework.
- Currently, most control servers are hosted in the US
- Code’s stealthy nature allows it to remain undetected in networks for months
- Researchers warn that this may enable them to target Linux servers used by large businesses in the future
About Author
English