FlagThis

Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

ImgSrc: blogger.googleu

References :

• cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
• gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
• Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
• The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
• Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
• gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
• BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
• The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
• bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
• BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
• www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
• bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
• securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
• securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
• Cyber Security News: Cybersecurity News article on SourceForge malware distribution
• Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins

Classification:

• HashTags: #SourceForge #Malware #Cryptomining
• Company: SourceForge
• Target: Russian Speaking Users
• Product: SourceForge
• Feature: Malware Distribution
• Malware: ClipBanker, Miner
• Type: Malware
• Severity: Medium