Cybercriminals are attempting to siphon off cryptocurrency using malware hidden within counterfeit Microsoft Office extensions posted on a software hosting platform, according to a cybersecurity report.
Among these harmful listings is one named “officepackage,” which includes genuine Microsoft Office add-ins while also concealing a piece of malware known as ClipBanker. This malware manipulates the clipboard on an infected computer, replacing a copied crypto wallet address with the attacker’s own, as detailed in an April 8 analysis.
“Crypto wallet users usually copy addresses rather than typing them out. If the system is compromised by ClipBanker, the victim’s funds will be redirected to an unintended destination,” the research team noted.
The fraudulent page on the hosting site imitates a legitimate developer tool page, displaying office add-ins and download buttons while also appearing in search engine results.
A cybersecurity firm has detected a crypto-stealing malware on a software hosting site. Source:
According to the report, another aspect of the malware’s infection process includes sending details from the compromised device—like IP addresses, countries, and usernames—to the attackers via Telegram.
This malware can also inspect the infected system to check if it has been previously installed or if any antivirus software is present, and it has the capability to delete itself to avoid detection.
Access to infected systems could be sold
The report highlights that some files within the suspicious download packages are unusually small, raising “red flags,” since legitimate office applications are rarely that compact, even in compressed formats.
Other components are filled with meaningless data designed to create the illusion of a legitimate software installer.
The firm indicated that attackers gain access to a compromised system “through various methods, some of which are unconventional.”
“While the primary focus of the attack is cryptocurrency, utilizing both a miner and ClipBanker, the perpetrators could potentially sell access to infected systems to even more dangerous individuals.”
The interface is reportedly in Russian, which may indicate a focus on Russian-speaking individuals.
“Our analysis shows that 90% of the potential victims are located in Russia, where 4,604 users encountered this scheme from early January to late March,” the document explained.
To prevent becoming a victim, the report advises users to only download software from reputable sources, as pirated programs and alternative download options carry greater risks.
Related: Cybercriminals are trading counterfeit devices loaded with crypto-stealing malware
“The distribution of malware disguised as pirated software is not a new phenomenon,” the report stated. “As users look for ways to obtain applications outside of official channels, attackers are offering their own alternatives, continually seeking innovative methods to make their sites appear legitimate.”
Other cybersecurity organizations have also warned about emerging types of malware targeting cryptocurrency users. One firm reported on March 28 that it identified a new set of malware capable of launching a fake overlay to deceive Android users into submitting their crypto seed phrases while taking control of the device.
Magazine: Is Bitcoin poised to reach $70K soon? A crypto enthusiast finances a SpaceX journey: Hodler’s Digest, March 30 – April 5