A miner and the ClipBanker Trojan being distributed via SourceForge

April 8, 2025, 10:10 p.m.

Description

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading a compressed archive containing malware. The infection chain involves multiple stages, including the use of password-protected archives, Visual Basic scripts, and PowerShell commands. The main payloads are a cryptocurrency miner and ClipBanker, a Trojan that replaces cryptocurrency wallet addresses in the clipboard. The campaign primarily targets Russian-speaking users, with 90% of potential victims located in Russia.

External References

https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/
https://otx.alienvault.com/pulse/67f573a53d47bc07a2ad0e14
Tags
powershell
cryptocurrency
persistence
autoit
clipbanker
2025-04-08
miner
sourceforge

Date

  • Created: April 8, 2025, 7:06 p.m.
  • Published: April 8, 2025, 7:06 p.m.
  • Modified: April 8, 2025, 10:10 p.m.

Attack Patterns

  • ClipBanker
  • T1542.003
  • T1102.002
  • T1059.006
  • T1552.001
  • T1053.005
  • T1059.005
  • T1059.003
  • T1059.001
  • T1571
  • T1547.001
  • T1012
  • T1497
  • T1056.001
  • T1070.004
  • T1055
  • T1036
  • T1140
  • T1027

Additional Informations

  • Russian Federation