Ethical Hacking News
Malicious actors are exploiting SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to mine and steal cryptocurrency. The "officepackage" project was removed from SourceForge after compromising over 4,604 systems, most of which were in Russia. Users are advised to be cautious when downloading software from untrusted sources and to take proactive measures to protect themselves against such threats.
Malicious actors have been distributing fake Microsoft add-ins via a legitimate software hosting platform, compromising victims' computers to mine cryptocurrency. The "officepackage" project was hosted on SourceForge.net and mimicked a legitimate developer tool page, leading users to download malware-laden files. The malware installed itself by exploiting registry modifications and Windows services, and hijacked the machine's computational power for cryptocurrency mining. The attackers could also monitor clipboard copied cryptocurrency addresses and receive information about the infected system via Telegram API calls. Users are advised to only download software from trusted publishers, prefer official project channels, and scan all downloaded files with an up-to-date AV tool before execution.
Malicious actors have been leveraging a legitimate software hosting platform to distribute fake Microsoft add-ins that compromise victims' computers, allowing them to mine and steal cryptocurrency. The malicious project, "officepackage," was hosted on SourceForge.net, a popular open-source project community that also supports version control, bug tracking, and dedicated forums/wikis.
The "officepackage" project presented itself as a collection of Office Add-in development tools, with its description and files being a copy of the legitimate Microsoft project 'Office-Addin-Scripts,' available on GitHub. However, when users searched for office add-ins on Google Search or other engines, they received results pointing to the fake "officepackage" project hosted on SourceForge. The malicious project mimicked a legit developer tool page, showing the "Office Add-ins" and "Download" buttons.
If any of these buttons were clicked, the victim would receive a ZIP file containing a password-protected archive (installer.zip) and a text file with the password. The archive contained an MSI file (installer.msi) inflated to 700MB in size, which was intended to evade Antivirus (AV) scans. Running this MSI file dropped 'UnRAR.exe' and '51654.rar,' and executed a Visual Basic script that fetched another batch script (confvk.bat) from GitHub.
This script performed checks to determine whether it ran on a simulated environment and what antivirus products were active. It then downloaded another batch script (confvz.bat) and unpacked the RAR archive. The confvz.bat script established persistence via Registry modifications and added Windows services, ultimately installing malware that hijacked the machine's computational power to mine cryptocurrency for the attacker's account.
The malware also monitored the clipboard for copied cryptocurrency addresses and replaced them with attacker-controlled ones. Moreover, the attacker could receive information about the infected system via Telegram API calls and use the same channel to introduce additional payloads to the compromised machine.
This campaign is another example of threat actors exploiting any legitimate platform to gain false legitimacy and bypass protections. Users are advised to only download software from trusted publishers who can be verified, prefer official project channels (in this case, GitHub), and scan all downloaded files with an up-to-date AV tool before execution.
According to Kaspersky, the malicious "officepackage" project impacted over 4,604 systems, most of which were in Russia. The project has since been removed from SourceForge, but its indexing by search engines brought traffic from users searching for "office add-ins" or similar.
This rise in fake Microsoft Office add-ins pushed malware via SourceForge highlights the importance of vigilance and caution when downloading software from untrusted sources. It also underscores the need for robust security measures, such as up-to-date AV tools and verification of software authenticity before installation.
In conclusion, this incident serves as a stark reminder to users to be wary of suspicious downloads and to take proactive steps to protect themselves against malware distribution through legitimate platforms like SourceForge.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Microsoft-Office-Add-ins-Push-Malware-via-SourceForge-A-Rise-in-Cyber-Threats-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-microsoft-office-add-in-tools-push-malware-via-sourceforge/
https://undercodenews.com/the-rise-of-fake-microsoft-add-ins-how-threat-actors-use-sourceforge-to-distribute-malware/
Published: Tue Apr 8 16:21:29 2025 by llama3.2 3B Q4_K_M