Full Report
Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency. [...]
Analysis Summary
# Main Topic
Threat actors are exploiting the SourceForge platform, specifically using project pages, to distribute fake Microsoft Office add-in tools. These tools install multi-stage malware designed to steal cryptocurrency via clipboard hijacking and conduct background cryptocurrency mining.
## Key Points
- The malware is hosted on a SourceForge project page that mimics legitimate developer tools, using seemingly official "Office Add-ins" and "Download" buttons to lure victims.
- The initial download is a password-protected ZIP archive (`installer.zip`) containing an MSI installer, intentionally inflated to 700MB to evade standard Antivirus (AV) scanning.
- The infection chain involves a Visual Basic script fetching subsequent components (batch scripts and a RAR archive) from GitHub.
- The final stages involve deploying a cryptocurrency clipper (stealing addresses from the clipboard) and a cryptocurrency miner.
- Attackers maintain command and control/exfiltration via Telegram API calls.
## Threat Actors
- Attribution is not explicitly provided in the context.
- The activity is characterized as threat actors exploiting legitimate platforms (SourceForge) to gain false legitimacy for financial gain.
- Motivation is clearly financial, tied to cryptocurrency theft and mining.
## TTPs
- **Distribution Channel:** Abuse of SourceForge project pages for hosting malware distribution infrastructure.
- **Evasion:** Inflating the MSI installer file size (700MB) to bypass AV detection.
- **Initial Execution:** Dropping 'UnRAR.exe' and '51654.rar' via the MSI, followed by execution of a VBScript.
- **Staging/Payload Retrieval:** Fetching secondary batch scripts (e.g., `confvk.bat`, `confvz.bat`) from GitHub.
- **Defense Evasion:** The initial batch script performs checks to identify simulated environments (sandboxes) and active AV products.
- **Persistence:** Establishing persistence on the compromised system through Registry modifications and the addition of Windows services.
- **Payloads Delivered:**
- AutoIT interpreter (`Input.exe`).
- Netcat reverse shell (`ShellExperienceHost.exe`).
- Cryptocurrency Clipper (`Icon.dll`).
- Cryptocurrency Miner (`Kape.dll`).
- **C2/Exfiltration:** Utilizing Telegram API calls for receiving system information and potentially deploying further payloads.
## Affected Systems
- Windows operating systems (implied by the nature of the installer, scripts, and persistence mechanisms used).
- Users searching for or downloading Microsoft Office add-ins from non-verified sources listed on SourceForge.
## Mitigations
- **Source Verification:** Download software only from trusted publishers who can be verified.
- **Official Channels:** Prefer official project channels (e.g., [hxxps://github[.]com/OfficeDev/Office-Addin-Scripts] for official add-in/developer tools).
- **Scanning:** Scan all downloaded files, especially archives and installers, with up-to-date AV tools before execution, regardless of file size.
- **Monitoring:** Monitor for unusual network activity, particularly outbound connections to Telegram APIs, and watch for new, unexpected Windows services or Registry modifications related to persistence.
## Conclusion
This campaign demonstrates a sophisticated, multi-stage attack leveraging the perceived reputation of SourceForge to distribute highly targeted financial malware. The use of file inflation for AV evasion, combined with GitHub as a staging area and Telegram for C2, presents a complex challenge. Organizations and end-users must adhere strictly to verified software sources, especially when dealing with potentially large bundled installers.