In office style: a miner is being distributed in Russia under the guise of Microsoft products

A miner is being distributed in Russia under the guise of Microsoft Office. Previously, almost 5,000 users had already encountered the malware, Kaspersky Lab told Izvestia. The attack is aimed at stealing data or covertly mining cryptocurrency (under the guise of downloading Windows). But experts do not rule out that in the future, hackers could potentially sell access to compromised devices to hackers.

How hackers got into computers to steal data

The attackers are distributing the miner and the ClipBanker Trojan under the guise of Microsoft Office office applications on the SourceForge platform (a platform for hosting software projects). In Russia, more than 4,600 users have already encountered this malicious campaign, Kaspersky Lab told Izvestia.

Photo: IZVESTIA/Sergey Konkov

— Users who searched the Internet for Microsoft PC applications on unofficial resources could see a page hosted on one of the domains of the SourceForge website, where they were offered to download such programs for free. If a person clicked on the link, on the program page they saw a large list of popular Microsoft office applications available for download at a click," explained Oleg Kupreev, a cybersecurity expert at Kaspersky Lab.

Missing in the gallery: the first virus stealing data from iPhone photos has been found

He's helping hackers clean out cryptocurrency wallets.

However, in fact, there was a hidden hyperlink leading to downloading a malicious archive, he noted. There were two files inside —a password-protected archive and a text document with a password. If a person unpacked an attached, password-protected archive, then as a result, two malicious programs penetrated the computer.

The first is a miner that allowed attackers to use the power of an infected PC to mine cryptocurrencies. The second is ClipBanker, a Trojan that substituted the addresses of crypto wallets to steal currency, they explained. At the same time, there were no Microsoft applications among the downloaded files.

Photo: IZVESTIA/Yulia Khramtsova

Kaspersky Lab's cybersecurity experts note that despite the fact that the attack is aimed at stealing data and mining cryptocurrencies, attackers may later sell access to compromised devices or use it for other purposes.

How users can protect themselves

Such malware hidden under Microsoft applications is an alarming signal for all users who are looking for free software on the Internet. It is important to understand that the use of unlicensed software is not only a violation of the law, but also a serious risk to personal safety and data security, said Dmitry Sokolov, head of the information security service at MyOffice.

— By downloading free versions of applications from questionable sites, you become an easy target for intruders. Given the situation when Microsoft sales in Russia have been suspended, we strongly recommend that you consider and use domestic analogues of office software," the expert said.

Photo: IZVESTIA/Sergey Lantyukhov

One of the main threats to the use of unlicensed "offices" is that such programs can be used to steal personal data, in particular information about bank accounts and payment cards, by intercepting data from the clipboard, said Ekaterina Edemskaya, an analyst engineer at Gazinformservice.

According to her, if the device is infected, attackers can use computer resources to mine cryptocurrencies, which will significantly slow down the system and cause the devices to overheat. In addition, if malware is not detected in time, it can spread across the Network, infecting other devices and creating even more problems for the user and his environment.

Buy - Hack: How the cybercrime market on the darknet will change in 2025

Experts are alarmed by the growing availability of tools for hackers

Head of the Threat Research Department at the Positive Technologies Expert Security Center (PT Expert Security Center) Asker Jamirze added that spreading malware under the guise of application installers (software installation software) is not a new tactic.

— Such schemes have been actively used in the Russian Federation and abroad for many years. Potentially, attacks can pose a threat not only to individuals, but also to companies, as people can download infected applications to corporate systems," the expert emphasized.

Photo: IZVESTIA/Konstantin Kokoshkin

The ClipBanker Trojan is no less dangerous, and its distinctive feature is real—time tracking of user actions on financial and payment platforms, bitcoin wallets and banking services, said Konstantin Melnikov, head of the Department of special services at Infosecurity (Softline Group).

In addition, ClipBanker is able to remain unnoticed for a long time, including basic security measures. Even well-known antivirus solutions do not always detect it promptly, despite its presence in the system.

To protect themselves, users should be especially careful when downloading software and install only applications from official sources, Ekaterina Edemskaya recommends. It is also important to regularly update antivirus databases and the operating system to close possible vulnerabilities.

In addition, according to the product director of Staffcop (SKB Kontur) Daniil Borislavsky, Microsoft's office suite and other commercial software should stop downloading from torrent resources, because this is an almost 100% chance of malware infecting a PC.