Malware that replaces the victim’s copied crypto wallet address with the attacker’s address has been detected in fake Microsoft Office extensions posted on the SourceForge platform.
Hackers are trying to steal cryptocurrency using malware embedded in fake Microsoft Office extensions available for download on the SourceForge website, according to cybersecurity experts.
According to the experts, one of the features of the infection chain is the transfer of data about infected devices, such as IP addresses, country of location, and usernames, to attackers via the Telegram messenger.
The malware is also capable of scanning the systеm for signs of previous installation or antivirus software, and if detected, it can remove itself.
One of the detected malware packages called the “office suite” contains genuine Microsoft Office extensions, but at the same time hides the ClipBanker virus, which changes the crypto wallet address copied to the clipboard to the attacker’s address.
“Cryptocurrency wallet users usually copy addresses rather than enter them manually. If a device is infected with ClipBanker, the money may end up in a different place than expected,” the research team warns.
The fake project’s SourceForge page mimics a legitimate development toolkit site, showing Microsoft Office add-ons and download buttons, and can also appear in search engine results.
