Crypto Thieves Embed Malware in Microsoft Office Add-ins on SourceForge

Hackers have been discovered embedding crypto address-swapping malware within Microsoft Office add-in bundles available on the software hosting site SourceForge. This malicious activity, identified by Kaspersky, involves the use of seemingly legitimate add-ins to steal cryptocurrency from unsuspecting users. The malware operates by replacing the recipient's cryptocurrency address with the attacker's address during transactions, effectively redirecting the funds to the hacker's wallet.

The method of attack is sophisticated, as it leverages the trust users place in well-known software platforms like SourceForge. By disguising the malware within add-ins, hackers can bypass initial security checks and gain access to users' systems. Once inside, the malware can monitor clipboard activity, detecting when a cryptocurrency address is copied and replacing it with the attacker's address before the user pastes it into a transaction field.

This type of attack highlights the evolving tactics used by cybercriminals to exploit vulnerabilities in widely used software. The integration of malware within add-ins for popular office suites like Microsoft Office underscores the need for heightened vigilance and robust security measures. Users are advised to download add-ins only from trusted sources and to regularly update their software to protect against such threats.

The discovery of this malware serves as a reminder of the importance of cybersecurity in the digital age. As cryptocurrency transactions become more prevalent, so too do the attempts by hackers to exploit them. Users must remain vigilant and take proactive steps to safeguard their digital assets. This includes using reputable antivirus software, enabling two-factor authentication, and being cautious of suspicious links and downloads. By staying informed and implementing best practices, users can better protect themselves from the ever-evolving landscape of cyber threats.

Kaspersky's report also noted that the malware can send infected device information, such as IP addresses, country, and usernames, to the hackers through Telegram. Additionally, the malware can scan the infected system for signs of previous installations or antivirus software and delete itself if detected. This self-preservation mechanism makes it more challenging to detect and remove the malware once it has infiltrated a system.

Another concerning aspect is the potential for attackers to sell system access to more dangerous actors. This means that once a system is compromised, it could be used as a launching pad for further attacks, increasing the risk to the victim and potentially spreading the malware to other systems. The interface of the malware is in Russian, suggesting that it may target Russian-speaking users, although this does not limit its potential reach.

Kaspersky's telemetry indicates that a significant number of potential victims are in Russia, with 4,604 users encountering the scheme between early January and late March. This highlights the global nature of cyber threats and the need for international cooperation in combating them. Users are advised to only download software from trusted sources, as pirated programs and alternative download options carry higher risks. Distributing malware disguised as pirated software is a common tactic used by attackers to exploit users' desire for free or discounted software.

Other firms have also raised alarms over new forms of malware targeting crypto users. For instance, a new family of malware has been discovered that can launch a fake overlay to trick Android users into providing their crypto seed phrases, taking over the device in the process. This underscores the need for users to be cautious of suspicious downloads and to verify the authenticity of any software they install on their devices.