Cybercriminals are distributing embedded miners and malware designed to steal cryptocurrency through counterfeit Microsoft Office extensions. This was reported by experts from Kaspersky Lab.
The hackers operate via the popular software hosting portal SourceForge. They have uploaded a project named officepackage, offering add-ons for office programs, legitimately copied from GitHub.
However, upon clicking the link, users are presented with a wide array of Microsoft Office applications available for download.
By opening the modified installer file, victims initiate processes that bypass security, establish a connection with the hackers’ server, and install a miner and ClipBanker. This malware replaces cryptocurrency wallet addresses in the clipboard, allowing hackers to steal assets during transactions.
According to specialists, the hacking campaign primarily targets Russian-speaking regions. At least 4,604 users have fallen victim, 90% of whom are located in Russia.
Following the cessation of most Microsoft services in the country, official products of the corporation’s office suite became unavailable. This has led to a demand for alternative download sources. Many prefer using portals like SourceForge, which are perceived as more trustworthy in terms of unwanted consequences, a fact exploited by the cybercriminals, noted Kaspersky Lab.
“We do not recommend users download software from unverified sources. If, for any reason, access to the official program source is unavailable, it should be remembered that seeking alternative routes always involves increased security risks,” concluded the experts.
Back in March, specialists from Threat Fabric identified a Trojan virus targeting banking apps and cryptocurrency wallets on Android.