A new malicious campaign exploiting cracked software uploaded on SourceForge, a popular open-source repository, is concerning cybersecurity experts. Researchers from the ThreatLabz security team at Zscaler have identified a sophisticated strategy that uses compromised versions of legitimate applications to spread Clipper malware and cryptominer.
The main purpose is to illegally monetize by exploiting the victims’ computer resources for cryptocurrency mining and, at the same time, intercept digital addresses to hijack cryptographic transactions to accounts controlled by the attackers.
Compromised software disguised as popular tools
The malicious actors have uploaded compromised versions of commonly used software on SourceForge, such as:
- Apple Security Update
- Google Chrome
- Windows Defender
- Zoom
- Advanced IP Scanner
- CrystalDiskInfo
- CPU-Z
These files, apparently identical to the originals, incorporate malicious code. Thanks to the reputation of SourceForge and the popularity of the chosen software, the attackers manage to induce numerous users to download these infected executables without suspicion.
Infection mechanism: deception and silent persistence
Once the user runs the infected program, the malware proceeds with a two-phase method:
1. Dropper and AutoIt Compiler: A droplet written in AutoIt, a popular scripting language that allows for the automation of operations in Windows, is executed. This dropper is tasked with stealthily installing other malicious components, such as clipper and cryptominer.
2. Installation and persistence: The malicious payloads are hidden in default Windows directories, often with names that mimic system files to avoid detection. Additionally, the attackers store the malware within compressed files, protected by password, and use extensions like `.ocx` (typically used for ActiveX libraries) to further disguise their true intentions.
The system ensures persistence on the infected device by creating registry entries and shortcuts in the startup folder, so as to be executed at every reboot.
Clipper: dirottamento di criptovalute con un colpo di copia-incolla
The Clipper malware is designed to exploit a very common behavior among cryptocurrency users: the copy-paste of wallet addresses.
Once activated, the Clipper continuously monitors the content of the system’s clipboard for patterns that match wallet addresses of Bitcoin, Ethereum, or other tokens. When it identifies an address, it silently replaces it with one controlled by the attackers, thus intercepting potential transactions.
This technique is extremely sneaky: the user, convinced they have copied their own address, actually sends the funds to the cybercriminal’s account without noticing anything.
“`html
Cryptominer: the theft of resources with download of infected software
“`
Next to the clipper, the malware uses a cryptominer to exploit the computing power of the infected machine in order to illegally mine cryptocurrencies, typically Monero (XMR), appreciated in the cybercrime world for its anonymous nature.
The miner uses tools like XMRig, often modified to avoid antivirus detection. The code is calibrated to operate in the background and consume resources in such a way as not to raise obvious suspicions, although over time the user might notice slowdowns, overheating of the device, and increased energy consumption.
A carefully constructed attack
One of the most insidious elements of this campaign is its strategic sophistication. The actors involved have adopted various techniques to avoid detection:
- Use of AutoIt language to confuse antivirus systems.
- Distribution through a channel generally considered reliable like SourceForge.
- Use of executable files that simulate legitimate software, making it difficult for the user to distinguish them from the originals.
- Encoding of harmful components in password-protected files, to hinder automatic analysis by security systems.
- Use of unconventional extensions for malware files.
Experts’ advice for protection
Cybersecurity analysts emphasize the importance of downloading software only from official and reliable sources. SourceForge is normally considered safe, but the uploading of compromised software by malicious third parties has shown how even historic platforms can become a vehicle for *malicious software*.
Furthermore, it is essential to adopt updated antivirus solutions, regularly monitor the use of system resources, and be attentive to abnormal computer behavior, such as sudden slowdowns or constantly active fans.
A battle in continuous evolution
This attack demonstrates once again how the landscape of cyber threats is constantly evolving. Cybercriminals not only possess advanced technical skills, but they are also adept at constructing deceptive, well-orchestrated campaigns capable of striking effectively.
The combination of clipper and miner within seemingly harmless files represents a double threat: not only is the users’ digital wallet at risk, but their device is also exploited in the long term to enrich the cybercriminals.
The only truly effective weapon remains user awareness combined with good digital security practices. Staying updated on new malicious campaigns and installing software only from certified sources are the first steps to protect oneself from increasingly ingenious attacks.
