The attackers are leveraging SourceForge to distribute fraudulent Microsoft add-ins that install malware on victims' PCs to mine and siphon crypto.
SourceForge.net is a legitimate software hosting and distribution platform that also offers version control, issue tracking, and dedicated forums/wikis, making it a popular choice among open-source project communities.
Although its open project submission methodology allows for lots of abuse, malware is rarely disseminated through it.
The novel campaign discovered by Kaspersky has affected approximately 4,604 systems, the majority of which are in Russia. While the malicious project is no longer available on SourceForge, Kaspersky claims it was indexed by search engines, resulting in traffic from visitors searching for "office add-ins" or something similar.
Fraudulent office add-ins
The "officepackage" project poses as a set of development tools for Office Add-ins, and its files and description are a replica of the official Microsoft project "Office-Addin-Scripts," which is accessible on GitHub.
However, when people search for office add-ins on Google (and other engines), they are directed to "officepackage.sourceforge.io," which is powered by a distinct web hosting service provided by SourceForge to project owners.
That page displays the "Office Add-ins" and "Download" buttons, just like a genuine developer tool page would. The victim receives a ZIP file with a password-protected package (installer.zip) and a text file with the password if any are clicked.
The archive contains an MSI file (installer.msi) that has been inflated to 700MB in size to avoid antivirus scans. When it runs, it deletes 'UnRAR.exe' and '51654.rar' and launches a Visual Basic script that downloads a batch script (confvk.bat) from GitHub.
The script first checks to see if it is running in a simulated environment and what antivirus products are active, before downloading another batch script (confvz.bat) and unpacking the RAR package.
The confvz.bat script establishes persistence through Registry changes and the addition of Windows services. The RAR file includes the AutoIT interpreter (Input.exe), the Netcat reverse shell program (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll).
The DLL files include a cryptocurrency miner and a clipper. The first uses the machine's CPU capacity to mine bitcoin for the attacker's account, while the second scans the clipboard for copied cryptocurrency addresses and replaces them with attacker-controlled ones.
The attacker also receives information from the infected device via Telegram API calls and can use the same channel to deliver further payloads to the compromised machine. This effort is another example of threat actors using any lawful site to establish bogus legitimacy and circumvent security measures.