Crypto Malware Spreads via SourceForge Posing as Cracked Software

Article Highlights
Off On

Malicious actors have taken advantage of SourceForge, a reputable software hosting platform, to propagate cryptocurrency miner and clipper malware, masquerading as cracked versions of popular applications. This deceptive tactic lures users into downloading harmful software under the guise of legitimate programs such as Microsoft Office, exposing them to significant cybersecurity threats.

Malicious Projects Masquerading as Legitimate Software

Kaspersky, a well-regarded cybersecurity firm, recently revealed that hackers are leveraging SourceForge to disseminate malware by creating fraudulent projects that impersonate legitimate software. One glaring example of this is a project titled “officepackage.” This project ostensibly offers various Microsoft Office add-ins, purportedly sourced from a legitimate GitHub repository. It appears authentic both in its description and content, as it mimics genuine details to deceive users. The strategy behind these fake projects is simple yet effective: attackers replicate the appearance of legitimate applications to create a false sense of security. Users believe they are downloading useful add-ins for their Microsoft Office suite, but in reality, they are stepping into a malware trap. The project “officepackage,” for instance, utilizes components and descriptions directly taken from GitHub, enhancing its illusion of legitimacy. This fraudulent setup on SourceForge, including the domain “officepackage.sourceforge[.]io,” lists numerous Microsoft Office applications and download links primarily in the Russian language, appealing specifically to Russian-speaking users.

Deceptive Download Links and Redirects

The deceptive practices by attackers don’t stop at just mimicking legitimate software projects. When users attempt to download applications from projects like “officepackage,” they encounter a website interface designed to appear convincing. Hovering over the download buttons reveals innocuous-looking URLs such as “loading.sourceforge[.]io/download.” This superficial authenticity builds a false sense of trust among users, making them believe the link will direct them to the intended software.

However, clicking the download button reroutes users to an unrelated webpage hosted on “taplink[.]cc.” Here, users face another download button, leading to the download of a 7 MB ZIP archive named “vinstaller.zip.” Upon opening this archive, users find another password-protected ZIP file (“installer.zip”) and a text file containing the necessary password. Within the protected ZIP file lies an MSI installer crafted to deploy malicious components. This installer includes a console archive utility known as “UnRAR.exe,” a RAR archive, and a VB script.

The VB script runs a PowerShell interpreter, which executes a batch file named “confvk” fetched from GitHub. This file harbors the password for the RAR archive and facilitates the execution of more malicious scripts. The batch file initiates two critical PowerShell scripts: one that transmits system metadata through the Telegram API, and another that downloads an additional script to act on the RAR archive contents. This intricate process ultimately leads to the deployment of malware payloads, specifically ClipBanker—a cryptocurrency miner and clipper malware.

Broader Implications and Additional Campaigns

The deployment of cryptocurrency malware via SourceForge is not an isolated incident. Kaspersky’s report highlights broader implications, suggesting that the malware scheme may enable attackers to gain system access, potentially selling it to more dangerous entities. This aspect underscores the significant threat posed to users who download software from unofficial sources.

Further complicating the picture, another campaign involves distributing a malware downloader known as TookPS. This downloader spreads via fraudulent sites imitating legitimate software platforms. For instance, sites like “deepseek-ai-soft[.]com” mimic the DeepSeek AI chatbot and various remote desktop and 3D modeling tools. These fake websites appear authentic and often rank high in sponsored Google search results, ensnaring unsuspecting users. TookPS’s primary function is to download and run PowerShell scripts that allow remote access to infected systems via SSH. The downloader also deploys a modified trojan called TeviRat, which gives attackers unrestrained access to victims’ computers.

Additionally, Kaspersky’s findings indicate the use of DLL sideloading techniques to alter TeamViewer remote access software on infected machines. By placing a malicious library alongside TeamViewer, hackers can modify its behavior stealthily, enabling covert remote access without the user’s awareness.

Evolving Threat Landscape

Malicious actors have exploited SourceForge, a respected software-hosting platform, to spread cryptocurrency miner and clipper malware. They disguise these harmful programs as cracked versions of popular applications, deceiving users into downloading what they think are legitimate software packages such as Microsoft Office. This treacherous tactic not only undermines the trust in well-known applications but also puts users at serious risk of cybersecurity threats. Instead of getting the desired software, users end up with malware that can drain their computer’s resources by mining cryptocurrencies or intercept and alter clipboard contents to steal sensitive information, such as cryptocurrency wallet addresses or other personal data. This kind of malicious attack highlights the importance of downloading software only from trusted sources and being wary of cracked versions, which often come with hidden dangers. SourceForge’s reputation as a reliable platform is being manipulated by these bad actors, stressing a need for greater vigilance and stronger security measures to protect users from such deceptive practices.

Explore more

Revolutionizing SaaS with Customer Experience Automation

Imagine a SaaS company struggling to keep up with a flood of customer inquiries, losing valuable clients due to delayed responses, and grappling with the challenge of personalizing interactions at scale. This scenario is all too common in today’s fast-paced digital landscape, where customer expectations for speed and tailored service are higher than ever, pushing businesses to adopt innovative solutions.

Trend Analysis: AI Personalization in Healthcare

Imagine a world where every patient interaction feels as though the healthcare system knows them personally—down to their favorite sports team or specific health needs—transforming a routine call into a moment of genuine connection that resonates deeply. This is no longer a distant dream but a reality shaped by artificial intelligence (AI) personalization in healthcare. As patient expectations soar for

Trend Analysis: Digital Banking Global Expansion

Imagine a world where accessing financial services is as simple as a tap on a smartphone, regardless of where someone lives or their economic background—digital banking is making this vision a reality at an unprecedented pace, disrupting traditional financial systems by prioritizing accessibility, efficiency, and innovation. This transformative force is reshaping how millions manage their money. In today’s tech-driven landscape,

Trend Analysis: AI-Driven Data Intelligence Solutions

In an era where data floods every corner of business operations, the ability to transform raw, chaotic information into actionable intelligence stands as a defining competitive edge for enterprises across industries. Artificial Intelligence (AI) has emerged as a revolutionary force, not merely processing data but redefining how businesses strategize, innovate, and respond to market shifts in real time. This analysis

What’s New and Timeless in B2B Marketing Strategies?

Imagine a world where every business decision hinges on a single click, yet the underlying reasons for that click have remained unchanged for decades, reflecting the enduring nature of human behavior in commerce. In B2B marketing, the landscape appears to evolve at breakneck speed with digital tools and data-driven tactics, but are these shifts as revolutionary as they seem? This