Sourceforge infiltrators are used to spread malicious coding programs as Microsoft Office tools
Sourceforge, which is a reliable warehouse for open programs, has taken advantage of the distribution of malware targeting encryption through deceptive offices’ download downloads.
Between January and March, more than 4,600 devices – primarily in Russia – were hacked.
The attack was Discover it KasperskyWhich published detailed results on April 8.
The attackers used the Sourceforge platform tools to create a convincing front for their campaign, as they created a fake project that simulated Microsoft Office additives.
Behind its friendly appearance of developers, however, the infrastructure was a starting platform for harmful programs.
The joint process collected files, password protection, and large fake fasteners to avoid discovering and maintaining stability on infected systems.
More than 4,600 beating devices
The researchers follow the campaign to a host of Sourceforge called “OfficePackage”, which has allocated Microsoft Office extensions from GitHub.
Once published, the project automatically received its sub -range.
Then this sub -field was indexed by search engines like Yandex, which makes it easily discovered by reassuring users looking for Office.
When users visited the page, they met what it seemed to be a legitimate list of downloadable office tools.
Clicking on the links to redirect several times before submitting a small Zip archive.
Once the pressure is canceled, the archive swell into a 700MB installer designed to deceive users and evade antiviral surveying operations.
The fake installer hides harmful programs
The installed contains the embedded programs that have downloaded additional loads from GitHub.
These loads included coded currency workers and the term-harmful programs that kidnap the contents of the portfolio to redirect encryption transactions to the attacker controlled portfolios.
Before installing harmful programs, the text program for antivirus tools is achieved.
If none of them is found, the beneficial load publishes support facilities like Autoit and NetCat.
Another text sends the device information to a telegram robot controlled by threat representatives.
This information helps the attackers to identify the affected systems are the most valuable or suitable for reselling them on the dark web.
The source used for delivery
The use of Sourceforge as the initial infection of the campaign gave the advantage of credibility.
It is known for its role in the distribution of legitimate open source programs, Sourceforge allowed the attackers to overcome many red flags usually associated with harmful downloads.
The attackers use the built -in project on the site and the features of hosting that harmful programs can be denied as a trustworthy application without the need for external infrastructure.
Kaspersky data indicates that 90 % of infection attempts came from Russian users.
Although the initial load focuses on the theft of encryption, the researchers have warned that the devices at risk can be reselling or sold to other criminal groups for further exploitation.
Yandex and GitHub Aid spread
The campaign effectiveness has been strengthened by Yandex’s sub -domain index, one of the largest search engines in Russia.
This increased vision among potential victims, especially those looking for online productivity programs.
The use of GitHub allowed as a secondary hosting site for harmful programs for the attackers to maintain and update clear protection.
The wide range of safety GitHub has increased the intention of the malicious process.
Kaspersky did not reveal the identities behind the campaign, and there is nothing to indicate that Sourceforge or GitHub was complicit.
It seems that both platforms have been exploited through their features available to the public. It is still unclear whether the harmful project has been removed since then.
Sourceforge is used to publish harmful programs for disguised encryption, as Microsoft Office tools appeared first on Invezz
