Cybercriminals have managed to infiltrate crypto-stealing malware into another legitimate platform. It’s a reminder of the importance of always checking what you’re downloading on the internet and what addresses you're using to send your crypto assets.
After criminals created hundreds of legitimate-looking repositories on GitHub containing fake projects with malicious code, security specialist Kaspersky has now found malware distributed via SourceForge.net, a popular website providing software hosting, comparison, and distribution services.
The malware is being distributed via a fake project named officepackage, which contains Microsoft Office add-ins copied from a legitimate GitHub project.
According to the researchers, computers of the victims are being injected with ClipBanker, which is a malware family that replaces crypto wallet addresses in the clipboard with the attackers’ own – also known as address poisoning, previously covered by Cybernews.com.
"Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected," Kaspersky reminded, estimating that 90% of potential victims of this malware are in Russia, where 4,604 users encountered the scheme between early January and late March.
Meanwhile, the researchers explained that victims are being tricked by replacing the official sourceforge.io domain for the officepackage project, as projects created on this platform get their own domains, such as officepackage.sourceforge[.]io.
"The project under investigation has been assigned the domain officepackage.sourceforge[.]io, but the page displayed when you go to that domain looks nothing like officepackage on sourceforge.net. Instead of the description copied from GitHub, the visitor is presented with an imposing list of office applications complete with version numbers and 'Download' buttons," the researchers said.
According to them, the next step is to further trick a sourceforge.net user by directing them to the loading.sourceforge[.]io/download page, which can be seen when hovering over one of the buttons on the officepackage page. Once a potential victim clicks on the link, they're redirected to another "Download" page, which is the final stop to download an approximately seven-megabyte archive named vinstaller.zip, which contains the malicious code.
"This raises some red flags, as office applications are never that small, even when compressed," Kaspersky noted, adding that inside the archive, there's a Windows Installer file that exceeds 700 megabytes, as "attackers use the file pumping technique to inflate the file size by appending junk data."
Your email address will not be published. Required fields are markedmarked