Cybercriminals have deployed fake Microsoft Office extensions on SourceForge to steal crypto funds. Malicious actors created a project that mimics a real developer tool page.
It hides malware that hijacks crypto wallet addresses during clipboard operations. The scheme began on a software hosting site. It affects users searching for legitimate Office add-ins. The malware spreads when users download the infected package.
Disguised Malware in Office Tools
Cybersecurity firm Kaspersky has revealed that the fake project called “officepackage” carries a hidden threat. This project appears like a genuine Microsoft Office add-in tool hosted on SourceForge.
The malware, known as ClipBanker, intercepts wallet addresses that users copy and replaces them with the attacker’s address. Users may unknowingly lose crypto funds when their address is overwritten. The scheme targets those who copy addresses instead of manually typing them.
How the Attack Works?
When victims click the download link, they receive a ZIP file containing a password-protected archive. A text file provides the password to open the archive. However, the archive holds malicious files that trigger infection.
The malware is designed to scan the system for previous installations and antivirus presence. The infected device then sends system details like IP addresses and usernames via Telegram. The malware also deletes itself if it detects antivirus software on the machine.
Deceptive Web Page and File Tricks
The malicious SourceForge page closely copies details from the legitimate “Office-Addin-Scripts” project on GitHub. The fake page displays office add-ins and clear download buttons to lure victims.
Search engines index this page, so users searching for Office add-ins may find it. Some files within the download are suspiciously small, raising red flags. Other files are padded with extra junk to trick users into thinking the software is genuine.
Also Read: Android Malware “Crocodilus” Disguises as Legit Crypto Apps to Steal Assets: Details Below
Impact and Regional Targeting
Kaspersky’s report states that more than 4,600 systems have encountered this scheme so far. Most of the affected systems belong to users based in Russia. The malware employs a Russian interface and targets Russian-speaking users predominantly.
The attackers appear to focus on areas with high interest in crypto investments. The distribution method relies on mimicking a trusted source and deceiving even cautious users.
Malware’s Multiple Threats
Although the attack aims primarily at deploying a crypto miner and the ClipBanker malware, cybercriminals have many plans. They might sell the access they secure to even more dangerous groups later.
This approach presents a twofold threat to unsuspecting victims. The method also reflects a long-standing tactic where hackers disguise malware as pirated software.
Experts warn that unauthorized software downloads always carry significant risks. Users are urged to only download applications from verified, trusted sources.
Safety Measures and Expert Warnings
Kaspersky urges users to avoid downloading software from untrusted sites or alternative sources. Research shows that attackers often use pirated software to hide malicious content.
Even experienced users may fall for the disguised trap if extra care is not taken. Cybersecurity experts advise confirming the authenticity of any software before downloading.
It is also wise to use reliable antivirus programs that check file integrity. This reminder comes as many companies warn against similar scams across the world.
The fake Office extension campaign stands as another reminder to exercise caution when downloading software. Authorities and cybersecurity experts agree that vigilance is essential in today’s digital environment.
Also Read: North Korean Hackers Use New Phishing and Malware Attacks For Crypto Crimes