Cryptocurrency Users Targeted by Malware on SourceForge
1min read Cybercriminals have been exploiting SourceForge, a well-known open-source software platform, to target cryptocurrency users with malicious software disguised as legitimate microsoft Office add-ins. This campaign, identified by security experts at Kaspersky, involves the distribution of fake tools that install malware on victims' computers, primarily affecting users in Russia.
The malicious software, known as ClipBanker, operates by monitoring the computer's clipboard. When a user copies a cryptocurrency wallet address, ClipBanker replaces it with an address controlled by the attacker. If the user proceeds with the transaction without noticing the change, their funds are redirected to the hacker's wallet. This method of address swapping is particularly insidious as it exploits the trust users place in copied information.
Ask Aime: How does SourceForge's security breach impact cryptocurrency users, and what risks does ClipBanker pose?
The fake add-ins are hosted on SourceForge and are designed to appear legitimate, complete with real-looking buttons and Office files. This deception allows them to show up in search results and appear trustworthy to unsuspecting users. Kaspersky noted that some of these files are unusually small, which can serve as a warning sign, as genuine Office add-ins are typically much larger, even when compressed.
Once installed, ClipBanker can gather detailed information about the infected device, including the IP address, country, and username, and send this data to the attacker via Telegram. The malware also checks for the presence of antivirus software and may remove itself if detected, making it difficult to trace. In some instances, ClipBanker installs a cryptocurrency miner, using the victim's device to generate digital coins for the attackers. Kaspersky warns that the access gained through this attack could be sold to other malicious actors for further exploitation.
The campaign appears to be primarily targeting Russian users, with the interface of the fake add-ins being in Russian and approximately 90% of affected users located in Russia. This geographic focus suggests a targeted approach by the attackers, leveraging the familiarity and trust users have with SourceForge and Microsoft Office products.
The discovery of this malware campaign highlights the ongoing threat posed by cybercriminals to cryptocurrency users. As the popularity of digital currencies continues to grow, so too does the sophistication of attacks aimed at stealing funds. Users are advised to exercise caution when downloading software from third-party sites and to verify the authenticity of any add-ins or tools before installation. Additionally, keeping antivirus software up-to-date and being vigilant about unusual file sizes can help mitigate the risk of falling victim to such attacks.
