Cybersecurity firm Kasperky has discovered a malware which tricks victims into sending attackers their crypto by replacing trusted wallet addresses on a users’ clip board.
The malware is being distributed under the guise of Microsoft Office Add-Ins on the SourceForge website.
In reality, alternate links are being used to install this malware and infiltrate crypto wallets. The coding appears to be in Russian with an expected 90% of potential victims in Russia, Kaspersky researchers wrote in a post on their SecureList blog.
However, the link does lead to a website written in English for the download—suggesting this could expand far wider than Russia.
Once installed, the malware places ClipBanker on the device, which is a malware that replaces cryptocurrency addresses in the clipboard with the attacker’s own.
Since most crypto wallet users tend to copy and paste addresses, rather than typing them, the address replacement usually goes undetected until the victim’s money is sent somewhere they did not intend.
Kaspersky warns that this could do even more damage.
“The persistence methods are worthy of note as well. Attackers secure access to an infected system through multiple methods, including unconventional ones,” the researchers wrote. “While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.”
It’s worth noting that SourceForge is a legitimate website for hosting software downloads and that this exploit relies on users being taken to another download link, which is not safe.
A seemingly legitimate link redirects to a page where users are encouraged to download the infected software.
The download appears to be a legitimate 700MB installer, but it’s mostly filled with junk files. The actual malware is just 7MB.
According to the report, some 4,604 Russian users have encountered this scheme between early January and late March alone.
Kaspersky warns: “We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks.”
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
