The infiltrators exploit Sourceforge to hide encryption miners in Microsoft Office packages

Internet criminals misuse the areas of the Sourceforge project to publish the offices that are included in a touring papers included in the cryptocurrency mining tools and preservative archives.

The newly discovered malware campaign is to convert the Sourceforge infrastructure into an infection launch platform, and benefit from the friendly tools for developers in the articles of association to deceive users to download the harmful encryption program.

According to Kaspersky researchers, the plan is specifically Goals Curd users by hiding harmful programs as offices related to offices-full with enlarged installations, password-protected archives, and layers of overcoming that ultimately offer a file Encryption mine And Clipbanker to kidnap encryption transactions.

In the Blog Blog post, April 8, the researchers said that the attackers created a fake project on Sourceforge called “OfficePackage”, which was manufactured to look like Microsoft Office AdD-ins from GitHub. Although the project page itself may seem natural, the real trap was automatically created “OfficePacking.sourceforge.io”, as the researchers pointed out. Search engines like RussiaYandex chose it, and when users visited the page, they saw a fake menu of Office apps with download buttons already began to infection with malware.

Clicking on fake download links sends users through many routers before connecting a small Zip file. But once the pressure is canceled, it expands to the 700MB stabilizer.

Upon launch, the installer uses hidden textual programs to seize more files from GitHub, ultimately leading to emptying malware that checks anti -virus tools before operating. If no threats are discovered, it installs tools like Autoit and NetCat – one software text sends system information to a cable The researchers say the robot, while another guarantees that the harmful programs for encryption remain on the system.

Kaspersky says 90 % of affected users seem to be in Russia, with more than 4,600 visits between January and March. While the campaign is primarily seeking to steal encryption funds, researchers warn that affected machines may also be sold to other threats.