Cybersecurity firm Kaspersky has uncovered a malicious campaign where hackers embed malware within fake Microsoft Office add-ins distributed on the software hosting site SourceForge, aiming to steal cryptocurrency from unsuspecting users.
One of the malicious listings, called “officepackage,” includes real Microsoft Office add-ins but conceals a malware known as ClipBanker. This malware replaces a copied crypto wallet address on a computer’s clipboard with the attacker’s address, potentially redirecting cryptocurrency transactions to the attackers. Kaspersky’s Anti-Malware Research Team noted that users of crypto wallets typically copy addresses instead of typing them, making them vulnerable if their device is infected with ClipBanker.
The fake project page on SourceForge mimics a legitimate developer tool page, complete with office add-ins and download buttons, and can also appear in search results. This level of sophistication makes it challenging for users to distinguish between legitimate and malicious software. Kaspersky found that the malware is distributed through bundles that appear genuine but contain files that are either unusually small or padded with irrelevant data to mislead users into believing they are legitimate software installers.
Upon infection, the malware collects device information such as IP addresses, country, and usernames and sends this data to the attackers via the messaging app Telegram. Additionally, ClipBanker can scan the infected system for signs that it or antivirus software is already present and delete itself to avoid detection. The attackers secure access to compromised systems through various methods, potentially selling this access to other, possibly more dangerous cybercriminals.
The software interface is in Russian, suggesting that the attackers may be targeting Russian-speaking users. Kaspersky’s telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March. To avoid falling victim to such scams, Kaspersky recommends only downloading software from trusted sources, as pirated programs and alternative download options carry higher risks.
The distribution of malware disguised as pirated software is a long-standing tactic, and attackers continually look for new ways to make their websites appear legitimate. Other cybersecurity firms have also reported new malware families targeting crypto users. For instance, Threat Fabric identified a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.