Threat actors are exploiting the SourceForge platform to spread counterfeit Microsoft add-ins that install malicious software on victims’ systems, it has emerged, with the objective of mining and stealing cryptocurrency. SourceForge.net serves as a legitimate platform for hosting and distributing software, widely used by open-source communities for its features like version control and bug tracking. Despite its potential for exploitation due to the open project submission model, it is rare for malware to be distributed through this platform.
According to reporting BleepingComputer, Kaspersky has detected a campaign affecting more than 4,604 systems, primarily in Russia. Although the harmful project has been removed from SourceForge, it had been indexed by search engines, leading users searching for “office add-ins” to the project. The “officepackage” project posed as a suite of Office Add-in development tools, imitating the legitimate Microsoft project ‘Office-Addin-Scripts’ available on GitHub.
Attackers used search engine indexing to lure unsuspecting users
Users searching for office add-ins on search engines like Google were directed to “officepackage.sourceforge.io,” which appeared to be a legitimate developer tool site, featuring “Office Add-ins” and “Download” buttons. Clicking these buttons resulted in downloading a ZIP file with a password-protected archive (installer.zip) and a text file containing the password.
The archive included an MSI file (installer.msi), inflated to 700MB to bypass antivirus scans. Executing this file deployed ‘UnRAR.exe’ and ‘51654.rar,’ and ran a Visual Basic script to retrieve a batch script (confvk.bat) from GitHub.
The batch script assessed the environment to check for simulation and active antivirus products, then downloaded another batch script (confvz.bat) and extracted the RAR archive. The confvz.bat script ensured persistence by modifying the Registry and adding Windows services. The RAR file contained an AutoIT interpreter (Input.exe), the Netcat reverse shell tool (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll).
These DLL files function as a cryptocurrency miner and a clipper, respectively. The miner uses the computer’s processing power to mine cryptocurrency for the attacker, while the clipper monitors the clipboard for cryptocurrency addresses and substitutes them with addresses controlled by the attacker.
The attacker also gathers system information through Telegram API calls and can use the same channel to deploy additional payloads to the compromised machine. This campaign highlights the exploitation of legitimate platforms by threat actors to gain credibility and circumvent security measures.
Users are advised to download software only from verified publishers, prefer official project channels such as GitHub, and scan all downloaded files with an updated antivirus tool before execution.
“There were no malicious files hosted on SourceForge, and there were no breaches of any kind,” said SourceForge president Logan Abbott. “The malicious actor and project in question were removed almost immediately after it was discovered. All files on SourceForge.net (the main website, not the project website subdomains) are scanned for malware and that is where users should download files from.”
Read more: Microsoft neutralises malvertising scheme that affected one million devices
