Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Clipboard. Show all posts

Fake Microsoft Office Add-Ins Targeting Crypto Transactions

 

The attackers are leveraging SourceForge to distribute fraudulent Microsoft add-ins that install malware on victims' PCs to mine and siphon crypto.

SourceForge.net is a legitimate software hosting and distribution platform that also offers version control, issue tracking, and dedicated forums/wikis, making it a popular choice among open-source project communities. 

Although its open project submission methodology allows for lots of abuse, malware is rarely disseminated through it. The novel campaign discovered by Kaspersky has affected approximately 4,604 systems, the majority of which are in Russia. While the malicious project is no longer available on SourceForge, Kaspersky claims it was indexed by search engines, resulting in traffic from visitors searching for "office add-ins" or something similar.

Fraudulent office add-ins

The "officepackage" project poses as a set of development tools for Office Add-ins, and its files and description are a replica of the official Microsoft project "Office-Addin-Scripts," which is accessible on GitHub. 

However, when people search for office add-ins on Google (and other engines), they are directed to "officepackage.sourceforge.io," which is powered by a distinct web hosting service provided by SourceForge to project owners.

That page displays the "Office Add-ins" and "Download" buttons, just like a genuine developer tool page would. The victim receives a ZIP file with a password-protected package (installer.zip) and a text file with the password if any are clicked.

The archive contains an MSI file (installer.msi) that has been inflated to 700MB in size to avoid antivirus scans. When it runs, it deletes 'UnRAR.exe' and '51654.rar' and launches a Visual Basic script that downloads a batch script (confvk.bat) from GitHub. 

The script first checks to see if it is running in a simulated environment and what antivirus products are active, before downloading another batch script (confvz.bat) and unpacking the RAR package. 

The confvz.bat script establishes persistence through Registry changes and the addition of Windows services. The RAR file includes the AutoIT interpreter (Input.exe), the Netcat reverse shell program (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll). 

The DLL files include a cryptocurrency miner and a clipper. The first uses the machine's CPU capacity to mine bitcoin for the attacker's account, while the second scans the clipboard for copied cryptocurrency addresses and replaces them with attacker-controlled ones. 

The attacker also receives information from the infected device via Telegram API calls and can use the same channel to deliver further payloads to the compromised machine. This effort is another example of threat actors using any lawful site to establish bogus legitimacy and circumvent security measures.

This New Malware Redirects Cryptocurrency Payments to Wallets Controlled by the Attacker

 

A clipper malware is a type of software that, once installed on a computer, continuously scans the contents of the user's clipboard for cryptocurrency wallets. If the user copies and pastes the wallet someplace, it gets substituted by the cybercriminal's wallet. 

As a result, if an unknowing user uses any interface to transfer a cryptocurrency payment to a wallet, which is often done by copying and pasting a valid destination wallet, the legitimate wallet is substituted with the fake one. Clipper malware is not a new issue, but it is unknown to the majority of individuals and businesses. 

The first clipper malware surfaced on Windows operating systems in 2017. In 2019, the same malware was also discovered on the Google Play Store. Clipper attacks are effective due to the duration of cryptocurrency wallets. People who transfer cryptocurrency from one wallet to another seldom double-check that the copy/paste result is the one given by a genuine receiver. Cyble researchers examined a new Clipper malware termed Keona Clipper by its developer. 

The malware is provided as a service for $49 per month. Keona Clipper was written in the.NET programming language and is safeguarded by Confuser 1.x. This tool protects.NET applications by changing symbols, obfuscating control flow, encrypting constants and resources, employing anti-debugging, memory dumping, tampering, and disabling decompilers, making reverse engineering more difficult. 

Since May 2022, Cyble researchers have identified over 90 distinct Keona samples, demonstrating widespread deployment. The discrepancy in those Keona samples might be due to minor changes in the code, or it could be the result of several usages of the Confuser protector, which generates a new binary each time a sample is provided to prevent detection by security solutions relying only on file signature. 

Malware capabilities of Keona Clipper

Once launched, the malware uses the Telegram API to connect with an attacker-controlled Telegram bot. The malware's initial contact with the bot includes a message written in Russian that translates as "clipper has started on the computer" and the username of the user whose account is utilised by the malware. 

The malware also ensures that it is always performed, even if the system is restarted. The malware copies itself to numerous areas, including the Administrative Tools folder and the Startup folder, to guarantee persistence. Autostart entries are also placed in the Windows registry to guarantee that the malware runs every time the computer restarts. Keona Clipper then discreetly analyses clipboard activity and checks for bitcoin wallets using regular expressions. 

BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins are among the cryptocurrencies that Keona Clipper can steal. If a wallet is discovered, it is instantly replaced in the clipboard with a wallet address supplied by the threat actor. 

How can one defend oneself against this danger?

Every bitcoin payment should be thoroughly scrutinised. By comparing the output of their copy/paste manipulation to the wallet given by the seller, users should visually authenticate the wallet utilised as the transaction's destination. Private keys and wallet seeds should never be kept insecurely on any device. If feasible, keep these encrypted on a different storage device or in a physical hardware wallet. 

To identify the danger, security solutions should be implemented. We don't know the first vector of propagation for Keona, but we think it was emailed, hence email-based protection must be deployed. Email fraud and phishing should also be made more visible to users. 

Finally, the operating system and any software that runs on it should be maintained up to date and patched at all times. If the malware is dumped and executed on the system via a popular vulnerability, a patched system will almost certainly halt the danger.