HQ/EMEAFind out how we can help your business
Threat actors are taking advantage of SourceForge to distribute fraudulent Microsoft add-ins that install malware strains on compromised devices to mine and steal cryptocurrency funds.
The exploited entity is a legitimate software hosting and distribution platform offering version control, issue tracking, and dedicated forums/wikis. These features make it a popular choice among open-source project communities.
Researchers noted that although its open project submission approach allows for many potential cases of abuse, malware is rarely disseminated. However, the newly uncovered campaign has already impacted at least 4,604 systems, most of which came from Russia.
While the malicious project is no longer available on SourceForge, researchers suspect that it was indexed by search engines, resulting in traffic from visitors searching for “office add-ins.”
Malware operators exploit SourceForge through add-ins.
According to investigations, when people search for office add-ins on Google or other search engines, they are directed to “officepackage.sourceforge.io,” powered by a distinct web hosting service provided by SourceForge to project owners.
It includes the “Office Add-ins” and “Download” buttons. If any are clicked, the victim receives a ZIP with a password-protected archive and a text file containing the password.
In addition, the download includes an MSI file that has been inflated to 700MB in size to bypass AV inspections. It then dumps ‘UnRAR.exe’ and ‘51654.rar’ and launches a VBS that downloads a batch script from GitHub.
Subsequently, the script first checks to see if it is running in a simulated environment and which antivirus programs are active before downloading another batch script (confvz.bat) and unpacking the RAR archive.
The confvz.bat script then establishes persistence through Registry changes and adding Windows services. On the other hand, the RAR file includes the AutoIT interpreter, the Netcat reverse shell program, and a couple of payloads.
The DLL files include a cryptocurrency miner and a clipper. The first uses the machine’s CPU capacity to mine Bitcoin for the attacker’s account. In contrast, the second scans the clipboard for copied cryptocurrency addresses and replaces them with attacker-controlled ones.
Furthermore, the malware operators also receive information from the infected device via Telegram API calls and can use the same channel to deliver further payloads to the compromised device.
This new campaign is another example of threat actors using any lawful site to establish bogus legitimacy and circumvent security measures.
Therefore, users should only download software from trusted publishers that they can verify, use official project channels and scan all downloaded files with an updated AV before execution.
