Cyber attackers are embedding malicious software that swaps crypto addresses inside Microsoft Office add-ins.
A malicious software that swaps crypto wallet addresses is bundling with Microsoft Office extensions on SourceForge, replacing the victim’s address with the attacker’s.
Malicious actors insert malware into phony Microsoft Office extensions on SourceForge to steal cryptocurrency, according to cybersecurity firm Kaspersky.
Kaspersky’s Anti-Malware Research Team shared an April 8 report highlighting how the “officepackage“ listing, though featuring legitimate Microsoft Office add-ins, conceals ClipBanker malware that replaces a copied crypto wallet address with that of the attacker.
“Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected,” the team said.
The project page on SourceForge, pretending to be a legitimate developer tool, presents office add-ins and download buttons while also appearing in search results.
The infection chain of the malware also sends information from compromised devices, such as IP addresses, country, and usernames, to the hackers via Telegram, Kaspersky noted.
The malware scans the compromised system for traces of prior installations or antivirus programs and deletes itself if it detects them.
Some of the files in the deceptive download are particularly small, which Kaspersky flags as unusual, since Office applications don’t usually get that small, even when compressed.
The remaining files stuff irrelevant data to make users believe they are looking at an authentic software installer.
Attackers secure entry into an infected system through several approaches, the firm noted, including some that are unconventional.
“While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.”
Kaspersky speculates that the Russian language in the interface points to the malware’s potential target being Russian-speaking users.
“Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March,” the report stated.
Kaspersky emphasizes the importance of downloading software from trusted sources, warning that pirated and alternative downloads present higher security threats.
“Distributing malware disguised as pirated software is anything but new,” the company said. “As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit.”
Other cybersecurity companies have also raised concerns about new malware that targets cryptocurrency users.
According to a March 28 report by Threat Fabric, a new malware family has been found that launches a fake overlay to steal crypto seed phrases from Android users while taking over their devices.
