Hackers hide crypto address-swapping malware in Microsoft Office add-in bundles

Malicious actors are attempting to steal crypto with malware embedded in fake Microsoft Office extensions uploaded to the software hosting site SourceForge, according to cybersecurity firm Kaspersky.

One of the malicious listings, called “officepackage,” has real Microsoft Office add-ins but hides a malware called ClipBanker that replaces a copied crypto wallet address on a computer’s clipboard with the attacker’s address, Kaspersky’s Anti-Malware Research Team said in an April 8 report.

“Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected,” the team said.

The fake project’s page on SourceForge mimics a legitimate developer tool page, showing the office add-ins and download buttons and can also appear in search results.

Kaspersky said another feature of the malware’s infection chain involves sending infected device information such as IP addresses, country and usernames to the hackers through Telegram.

The malware can also scan the infected system for signs it’s already been installed previously or for antivirus software and delete itself.

Attackers could sell system access to others

Kaspersky says some of the files in the bogus download are small, which raises “red flags, as office applications are never that small, even when compressed.” 

Other files are padded out with junk to convince users they are looking at a genuine software installer.

The firm said attackers secure access to an infected system “through multiple methods, including unconventional ones.”

“While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.” 

The interface is in Russian, which Kaspersky speculates could mean it targets Russian-speaking users.

“Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March,” the report stated.

To avoid falling victim, Kaspersky recommended only downloading software from trusted sources as pirated programs and alternative download options carry higher risks.

Related: Hackers are selling counterfeit phones with crypto-stealing malware

“Distributing malware disguised as pirated software is anything but new,” the company said. “As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit.”

Other firms have also been raising the alarm over new forms of malware targeting crypto users. 

Threat Fabric said in a March 28 report it found a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.

Magazine: Bitcoin heading to $70K soon? Crypto baller funds SpaceX flight: Hodler’s Digest, March 30 – April 5