This article highlights a unique malware distribution scheme exploiting SourceForge, where a project named ‘officepackage’ appears legitimate but instead leads to malicious downloads. The attack targets Russian-speaking users mainly, distributing malware disguised as Microsoft Office add-ins. Affected: SourceForge, Russian users, cryptocurrency users
Keypoints :
- Malware distributed through a faux project on SourceForge.
- ‘officepackage’ project redirects users to harmful downloads.
- The download consists of a compressed archive leading to a larger installer file.
- Installer uses PowerShell scripts and batch files to execute further malicious actions.
- The attack targets cryptocurrency users with malware that replaces wallet addresses.
- The scheme primarily affects Russian-speaking users.
- Users are advised against downloading software from untrusted sources.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Users are tricked into downloading and executing a malicious installer disguised as legitimate software.
- T1071 – Application Layer Protocol: The malware communicates with remote servers using standard protocols.
- T1059 – Command and Scripting Interpreter: Powershell scripts are utilized to execute further commands.
- T1566 – Phishing: The project masquerades as a valid software distribution to lure users.
- T1489 – Service Stop: The malware attempts to stop security processes to avoid detection.
Indicator of Compromise :
- [URL] https://loading.sourceforge[.]io/download
- [Domain] officepackage.sourceforge[.]io
- [File] vinstaller.zip
- [File] installer.zip
- [Registry Key] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMicrosoftEdgeUpdate.exe
Full Story: https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/
Views: 27