Widely used software hosting service SourceForge has been tapped by threat actors to promote pirated software that spreads cryptocurrency mining and clipper malware, also known as ClipBankers, as part of a campaign that has already hit 4,604 users from January to March, most of whom are in Russia, The Hacker News reports.
Among the malicious projects in SourceForge is "officepackage," which features Microsoft add-ins from a legitimate GitHub project and a download button that shows a seemingly proper URL but redirects to another site with a separate download button when clicked, according to a Kaspersky analysis. Clicking such a button triggers the download of a ZIP archive featuring another ZIP archive and a text file containing its credentials. Unlocking the ZIP archive then facilitates the deployment of the cryptominer and the ClipBanker payload, as well as a netcat executable to facilitate remote server communications. "While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors," said Kaspersky.
Among the malicious projects in SourceForge is "officepackage," which features Microsoft add-ins from a legitimate GitHub project and a download button that shows a seemingly proper URL but redirects to another site with a separate download button when clicked, according to a Kaspersky analysis. Clicking such a button triggers the download of a ZIP archive featuring another ZIP archive and a text file containing its credentials. Unlocking the ZIP archive then facilitates the deployment of the cryptominer and the ClipBanker payload, as well as a netcat executable to facilitate remote server communications. "While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors," said Kaspersky.
