Kaspersky has alerted a new malware campaign that uses a development project of Non -legitimate Microsoft Office accessories Hstasted in Soundforge, with the aim of infecting victims computers and stealing cryptocurrencies among other malicious tasks.
Sourceforge.net is a legitimate platform for distribution and software housing that also admits version control, error monitoring and dedicated forums/forums, which makes it Very popular among open source project communities. Although its open project sending model gives a wide margin for abuse, seeing distributed malware is something that occurs rarely. But it can happen.
Be careful with the accessories for Microsoft Office!
The new campaign detected by Kaspersky has affected more than 4,604 systems, most of which are in Russia, but have been distributed online. Although Sourceforge has already cleaned the sources, the cybersecurity firm says that the project had been indexed by search engines, attracting traffic of users who were looking for «Office accessories» The similar.
The “Offepackage” project was presented as a Office accessories development tools collectionand its description and files are a copy of the legitimate project of Microsoft ‘Office-Addin-Scripts’, available in Github. However, when users seek office accessories in the search for Google (and other engines), they obtain results that point to «Offepackage.SourceForge.io», driven by an independent web accommodation function that SourceForge offers to project owners.
That page mimics a legitimate page of developer tools, showing the “Office accessories” and “Download” buttons. If any click, the victim receives a ZIP file with a password protected file (installer.zip) and a text file with the password.
The file contains an MSI file (installer.msi) increased to 700 MB to evade antivirus analysis. When executing it, the ‘Unrar.exe’ and ‘51654.rar’ files are deleted and a visual basic script is executed that obtains a batch script (confvk.bat) from Github. The script performs checks to determine if it is executed in a simulated environment and which antivirus products are active and then download another lot by lots (confvz.bat) and decompresses the RAR file.
The result of this process is infection of the equipment affected with DLL files, cryptocurrency malware. The attackers kidnap the computational capacity of the machine to undermine cryptocurrencies from the attacker’s account and, in addition, monitor the clipboard in search of cryptocurrency directions copied to replace them with those controlled by cybercriminals.
Developers are recommended to download only reliable editors who can verify, preferably use the official project channels (in this case, Github) and scan all files downloaded with a powerful and well updated AV tool before execution.
