Attackers Exploits SourceForge Software Hosting Platform to Deliver Malware

Cybercriminals have devised a sophisticated scheme exploiting SourceForge, a popular software hosting platform, to distribute malicious software disguised as legitimate office applications.

The attack leverages the platform’s feature that automatically assigns sourceforge.io domains to projects, creating convincing facades for malware distribution campaigns that primarily target Russian-speaking users.

The attackers created a project called “officepackage” on sourceforge.net containing seemingly harmless Microsoft Office add-ins copied from a legitimate GitHub project.

However, when users visit the corresponding officepackage.sourceforge.io domain, they encounter a different interface displaying an imposing list of office applications with download buttons.

These buttons redirect to what appears to be a legitimate SourceForge download URL (loading.sourceforge.io/download), further enhancing the deception.

Securelist researchers noted that clicking these buttons ultimately downloads a compressed archive (vinstaller.zip) of approximately 7 megabytes.

This small size should immediately raise suspicions, as legitimate office applications typically require significantly more storage space, even when compressed.

The malware distributors employ multiple layers of deception throughout the infection chain.

The initial download contains a password-protected archive, with the password conveniently provided in an accompanying text file.

This technique often bypasses security solutions that cannot scan password-protected archives. Once extracted, users find an installer.msi file artificially inflated to over 700 megabytes using null-byte padding to create the illusion of a legitimate software package.

Complex Infection Mechanism

The infection process involves numerous stages designed to evade detection. When executed, the installer extracts several files including UnRAR.exe and a password-protected archive (51654.rar).

The malware then executes embedded Visual Basic script that downloads a batch file (confvk) from GitHub containing the archive password. This batch file performs anti-analysis checks, searching for security software, virtual environments, and research tools.

chcp 65001 >nul
setlocal EnableDelayedExpansion
set "TOKEN=7604003483:AAGGIo6lbNlshSjnvsGlw7OmBjLBc4r55FA"
set "CHAT_ID=5674938532"
set "IP=Unknown"
set "Country=Unknown"

Once unpacked, the malware establishes multiple persistence mechanisms, including Windows services, registry modifications, and scheduled tasks.

The final payload consists of two malicious components: a cryptocurrency miner and ClipBanker Trojan that replaces cryptocurrency wallet addresses in users’ clipboards with the attackers’ own addresses, effectively hijacking transactions without the victims’ knowledge.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free