A recent investigation has unveiled a sophisticated malware distribution campaign that exploits SourceForge, a widely used platform for software hosting and distribution.
The attackers leverage SourceForge’s subdomain feature to create deceptive web pages, tricking users into downloading malicious files disguised as legitimate software.
Exploiting SourceForge’s Subdomain System
The campaign revolves around a seemingly innocuous project named “officepackage,” hosted on SourceForge.
While the official project page on sourceforge.net mirrors legitimate Microsoft Office add-ins sourced from GitHub, the attackers exploit the platform’s subdomain feature to host a malicious clone at officepackage.sourceforge[.]io.
According to the Report, this subdomain is indexed by search engines, increasing its visibility to unsuspecting users searching for office software.
The malicious webpage diverges significantly from the original project, displaying an array of office applications with “Download” buttons.
Hovering over these buttons reveals URLs associated with another SourceForge project named “loading,” further obfuscating the attack’s origin.
Users who click these links are redirected through multiple pages before downloading a suspicious archive named vinstaller.zip.
Infection Chain: A Multi-Layered Approach
The downloaded vinstaller.zip archive contains a password-protected file (installer.zip) and a Readme.txt file with the password.
Inside installer.zip lies an inflated Windows Installer file (installer.msi), padded with junk data to appear legitimate.
Once executed, this file initiates a complex infection chain:
- Execution of Embedded Scripts: The installer runs a Visual Basic script that downloads and executes a batch file (
confvk) from GitHub. - Batch File Operations: The batch script performs system checks to evade detection, unpacks additional malicious files, and executes PowerShell scripts.
- Data Exfiltration and Malware Deployment: One PowerShell script sends system information to attackers via Telegram, while another downloads a secondary batch file (
confvz) to deploy malware components.
The malware components include AutoIt scripts embedded in DLL files, a cryptocurrency wallet address hijacker (ClipBanker), and a cryptocurrency miner.
These components are strategically placed in system directories and configured for persistence through registry modifications, scheduled tasks, and Windows Management Instrumentation Command-line (WMIC) utilities.
Advanced Persistence Mechanisms
The attackers employ multiple unconventional methods to ensure persistence on infected systems:
- Registry Key Manipulation: Registry keys link malicious scripts to commonly used executable names, enabling stealthy execution.
- Service Creation: Custom services are established to autostart batch files and the AutoIt interpreter.
- WMIC Event Filters: Event filters trigger malicious commands at regular intervals, maintaining control over the system.
- Exploitation of OS Utilities: The attack leverages Windows’ built-in Setup utility (
Setup.exe) and error-handling mechanisms for additional startup methods.
These techniques demonstrate the attackers’ intent to secure long-term access to compromised systems.
The campaign predominantly targets Russian-speaking users, as evidenced by the Russian interface on the malicious webpage.
Telemetry data indicates that 90% of potential victims are located in Russia, with over 4,600 users exposed between January and March 2025.
The primary objective appears to be financial gain through cryptocurrency theft and mining activities.
However, the attackers could potentially sell system access to other threat actors for more severe exploitation.
This campaign highlights the risks of downloading software from untrusted sources and underscores the need for vigilance when using third-party platforms like SourceForge.
By exploiting legitimate features of trusted platforms, attackers can create convincing traps that lure unsuspecting users into compromising their systems.
Users are advised to rely on official sources for software downloads and exercise caution when encountering unfamiliar or unofficial websites.
Security professionals should remain alert to evolving tactics that leverage trusted platforms for malicious purposes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
