The Rise of Fake Microsoft Add-Ins: How Threat Actors Use SourceForge to Distribute Malware

In recent weeks, a new cyber threat has emerged that exploits SourceForge, a popular platform for hosting and distributing open-source software. Attackers have been using this platform to distribute fake Microsoft Office add-ins, which, once installed, not only steal cryptocurrencies but also hijack computer resources to mine them. In this article, we’ll explore how these malicious campaigns work, their implications, and how users can protect themselves from falling victim to them.

the Threat

SourceForge is a well-known platform where developers can share open-source software and tools, but recently, it has become a target for cybercriminals. A campaign discovered by Kaspersky has impacted over 4,600 systems, most of which are located in Russia. The attack revolves around a fake Microsoft Office add-in that pretends to be an official development tool for Office add-ins, but in reality, it contains malware designed to mine cryptocurrencies and steal them.

The malicious project, named “officepackage,” appears to be a legitimate tool set designed for Office Add-in development. Its description and files mirror the legitimate ‘Office-Addin-Scripts’ available on GitHub. However, instead of offering useful development tools, it lures victims by mimicking official Microsoft software, leading them to a ZIP archive containing malware.

When users download and run the installer, it initiates a chain of events that deploys a range of malicious tools on their computers. These tools include cryptocurrency mining software, a clipboard hijacker (known as a clipper), and a reverse shell to allow attackers to control the infected system remotely. Furthermore, the malware establishes persistence by modifying system settings, ensuring the attack remains active even after a reboot.

Though the malicious project has since been removed from SourceForge, it had already been indexed by search engines, meaning unsuspecting users searching for “Office add-ins” might still encounter the malicious link. The fake add-ins were distributed via a compromised SourceForge project page, which closely resembled a legitimate developer tool page.

What Undercode Say:

This attack underscores the growing sophistication of cybercriminals in leveraging trusted platforms to distribute malware. SourceForge, traditionally seen as a safe space for developers and open-source enthusiasts, has now been tarnished by this incident. The attackers are taking advantage of the platform’s open submission model to trick unsuspecting users into downloading malicious software.

The malware’s design is multi-faceted. It not only mines cryptocurrency but also features a clipboard hijacker that replaces cryptocurrency addresses copied to the clipboard. This tactic is particularly dangerous, as cryptocurrency transactions are often irreversible, and users may not notice that their transaction details have been altered until it’s too late.

Additionally, the malware contains a reverse shell that allows the attackers to maintain control over the compromised systems, potentially opening the door to further exploits or data theft. The persistence mechanisms built into the malware ensure that it will remain active on the system, even if users attempt to remove it.

This attack also highlights the risks of downloading software from unofficial or unverified sources. Despite being hosted on a platform like SourceForge, which is usually trusted, the project was designed to appear legitimate, fooling users into trusting it. This shows how cybercriminals can abuse popular platforms and project-hosting services to deliver malicious payloads, making it harder for end-users to differentiate between legitimate and fraudulent software.

As users increasingly rely on open-source projects, this attack serves as a reminder of the importance of verifying the authenticity of software before downloading it. It is critical for users to download only from trusted sources and to always use updated antivirus software to scan downloads. In this case, the legitimate GitHub repository was the safer option for users looking for Microsoft Office add-in tools, as it didn’t contain any malicious payloads.

The presence of these types of attacks suggests that future cybercrimes may increasingly target well-established platforms, making it even more essential for both developers and users to remain vigilant. Developers, in particular, should take extra care when submitting projects to popular hosting sites and monitor them for any signs of abuse.

Fact Checker Results

The article’s claim about the abuse of SourceForge to distribute malware is consistent with recent findings by cybersecurity researchers, including Kaspersky’s report on the campaign.