Cybercriminals are exploiting SourceForge to disseminate counterfeit Microsoft add-ins that install malware on victims' systems, aiming to mine and steal cryptocurrency. SourceForge.net, a reputable platform for software hosting and distribution, is popular among open-source communities for its version control, bug tracking, and forums. Despite its open submission model, malware distribution through this platform is uncommon.

Malware Campaign Overview

A recent campaign identified by Kaspersky has affected over 4,604 systems, predominantly in Russia. Although the malicious project has been removed from SourceForge, it was indexed by search engines, attracting users searching for "office add-ins" or similar terms.

Fake Office Add-ins

The "officepackage" project masquerades as a collection of Office Add-in development tools, mimicking the legitimate Microsoft project 'Office-Addin-Scripts' available on GitHub. When users search for office add-ins, they may encounter results leading to "officepackage.sourceforge.io," a site hosted by SourceForge's web hosting feature for project owners.

  • Deceptive Page: The site imitates a legitimate developer tool page, featuring "Office Add-ins" and "Download" buttons. Clicking these leads to a ZIP file containing a password-protected archive and a text file with the password.
  • Malware Delivery: The archive includes an MSI file (installer.msi) inflated to 700MB to evade antivirus scans. Executing it drops 'UnRAR.exe' and '51654.rar,' and runs a Visual Basic script that retrieves a batch script (confvk.bat) from GitHub.

Infection Process

The script checks for simulated environments and active antivirus products, then downloads another batch script (confvz.bat) and unpacks the RAR archive. The confvz.bat script establishes persistence through Registry modifications and Windows services.

Payload Details

The RAR file contains an AutoIT interpreter (Input.exe), the Netcat reverse shell tool (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll). The DLL files function as a cryptocurrency miner and a clipper. The miner hijacks the system's computational power to mine cryptocurrency for the attacker, while the clipper monitors the clipboard for cryptocurrency addresses and replaces them with attacker-controlled ones.

  • System Information Theft: The attacker receives system information via Telegram API calls and can use the same channel to deploy additional payloads.
The link has been copied!