Crypto Malware Spreads via SourceForge Posing as Cracked Software

Article Highlights
Off On

Malicious actors have taken advantage of SourceForge, a reputable software hosting platform, to propagate cryptocurrency miner and clipper malware, masquerading as cracked versions of popular applications. This deceptive tactic lures users into downloading harmful software under the guise of legitimate programs such as Microsoft Office, exposing them to significant cybersecurity threats.

Malicious Projects Masquerading as Legitimate Software

Kaspersky, a well-regarded cybersecurity firm, recently revealed that hackers are leveraging SourceForge to disseminate malware by creating fraudulent projects that impersonate legitimate software. One glaring example of this is a project titled “officepackage.” This project ostensibly offers various Microsoft Office add-ins, purportedly sourced from a legitimate GitHub repository. It appears authentic both in its description and content, as it mimics genuine details to deceive users. The strategy behind these fake projects is simple yet effective: attackers replicate the appearance of legitimate applications to create a false sense of security. Users believe they are downloading useful add-ins for their Microsoft Office suite, but in reality, they are stepping into a malware trap. The project “officepackage,” for instance, utilizes components and descriptions directly taken from GitHub, enhancing its illusion of legitimacy. This fraudulent setup on SourceForge, including the domain “officepackage.sourceforge[.]io,” lists numerous Microsoft Office applications and download links primarily in the Russian language, appealing specifically to Russian-speaking users.

Deceptive Download Links and Redirects

The deceptive practices by attackers don’t stop at just mimicking legitimate software projects. When users attempt to download applications from projects like “officepackage,” they encounter a website interface designed to appear convincing. Hovering over the download buttons reveals innocuous-looking URLs such as “loading.sourceforge[.]io/download.” This superficial authenticity builds a false sense of trust among users, making them believe the link will direct them to the intended software.

However, clicking the download button reroutes users to an unrelated webpage hosted on “taplink[.]cc.” Here, users face another download button, leading to the download of a 7 MB ZIP archive named “vinstaller.zip.” Upon opening this archive, users find another password-protected ZIP file (“installer.zip”) and a text file containing the necessary password. Within the protected ZIP file lies an MSI installer crafted to deploy malicious components. This installer includes a console archive utility known as “UnRAR.exe,” a RAR archive, and a VB script.

The VB script runs a PowerShell interpreter, which executes a batch file named “confvk” fetched from GitHub. This file harbors the password for the RAR archive and facilitates the execution of more malicious scripts. The batch file initiates two critical PowerShell scripts: one that transmits system metadata through the Telegram API, and another that downloads an additional script to act on the RAR archive contents. This intricate process ultimately leads to the deployment of malware payloads, specifically ClipBanker—a cryptocurrency miner and clipper malware.

Broader Implications and Additional Campaigns

The deployment of cryptocurrency malware via SourceForge is not an isolated incident. Kaspersky’s report highlights broader implications, suggesting that the malware scheme may enable attackers to gain system access, potentially selling it to more dangerous entities. This aspect underscores the significant threat posed to users who download software from unofficial sources.

Further complicating the picture, another campaign involves distributing a malware downloader known as TookPS. This downloader spreads via fraudulent sites imitating legitimate software platforms. For instance, sites like “deepseek-ai-soft[.]com” mimic the DeepSeek AI chatbot and various remote desktop and 3D modeling tools. These fake websites appear authentic and often rank high in sponsored Google search results, ensnaring unsuspecting users. TookPS’s primary function is to download and run PowerShell scripts that allow remote access to infected systems via SSH. The downloader also deploys a modified trojan called TeviRat, which gives attackers unrestrained access to victims’ computers.

Additionally, Kaspersky’s findings indicate the use of DLL sideloading techniques to alter TeamViewer remote access software on infected machines. By placing a malicious library alongside TeamViewer, hackers can modify its behavior stealthily, enabling covert remote access without the user’s awareness.

Evolving Threat Landscape

Malicious actors have exploited SourceForge, a respected software-hosting platform, to spread cryptocurrency miner and clipper malware. They disguise these harmful programs as cracked versions of popular applications, deceiving users into downloading what they think are legitimate software packages such as Microsoft Office. This treacherous tactic not only undermines the trust in well-known applications but also puts users at serious risk of cybersecurity threats. Instead of getting the desired software, users end up with malware that can drain their computer’s resources by mining cryptocurrencies or intercept and alter clipboard contents to steal sensitive information, such as cryptocurrency wallet addresses or other personal data. This kind of malicious attack highlights the importance of downloading software only from trusted sources and being wary of cracked versions, which often come with hidden dangers. SourceForge’s reputation as a reliable platform is being manipulated by these bad actors, stressing a need for greater vigilance and stronger security measures to protect users from such deceptive practices.

Explore more

Can AI Redefine C-Suite Leadership with Digital Avatars?

I’m thrilled to sit down with Ling-Yi Tsai, a renowned HRTech expert with decades of experience in leveraging technology to drive organizational change. Ling-Yi specializes in HR analytics and the integration of cutting-edge tools across recruitment, onboarding, and talent management. Today, we’re diving into a groundbreaking development in the AI space: the creation of an AI avatar of a CEO,

Cash App Pools Feature – Review

Imagine planning a group vacation with friends, only to face the hassle of tracking who paid for what, chasing down contributions, and dealing with multiple payment apps. This common frustration in managing shared expenses highlights a growing need for seamless, inclusive financial tools in today’s digital landscape. Cash App, a prominent player in the peer-to-peer payment space, has introduced its

Scowtt AI Customer Acquisition – Review

In an era where businesses grapple with the challenge of turning vast amounts of data into actionable revenue, the role of AI in customer acquisition has never been more critical. Imagine a platform that not only deciphers complex first-party data but also transforms it into predictable conversions with minimal human intervention. Scowtt, an AI-native customer acquisition tool, emerges as a

Hightouch Secures Funding to Revolutionize AI Marketing

Imagine a world where every marketing campaign speaks directly to an individual customer, adapting in real time to their preferences, behaviors, and needs, with outcomes so precise that engagement rates soar beyond traditional benchmarks. This is no longer a distant dream but a tangible reality being shaped by advancements in AI-driven marketing technology. Hightouch, a trailblazer in data and AI

How Does Collibra’s Acquisition Boost Data Governance?

In an era where data underpins every strategic decision, enterprises grapple with a staggering reality: nearly 90% of their data remains unstructured, locked away as untapped potential in emails, videos, and documents, often dubbed “dark data.” This vast reservoir holds critical insights that could redefine competitive edges, yet its complexity has long hindered effective governance, making Collibra’s recent acquisition of