Fake Microsoft Office Add-Ins Used to Hijack Crypto Transfers, Says Kaspersky

These fake tools, uploaded to the file-sharing site SourceForge, are designed to look like real Office add-ins. But inside, they hide a malicious software called ClipBanker.

ClipBanker works by watching a computer’s clipboard. When someone copies a cryptocurrency wallet address, the malware swaps it with a different address that belongs to the attacker. If the user does not notice the change and makes a transfer, their funds go to the hacker instead.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is Solana in Crypto? (Beginner-Friendly Animation)

SUBSCRIBE

ON YOUTUBE

The fake add-ins are posted on a page that looks like a normal software tool. It includes real-looking buttons and Office files, which makes it show up in search results and look trustworthy. Kaspersky says some of the files are unusually small, which can be a warning sign. Real Office add-ins are much larger, even when compressed.

Additionally, they appear to focus mainly on Russian users. The interface is in Russian, and Kaspersky’s data shows that about 90% of affected users are in Russia.

Once installed, ClipBanker can send details about the device, like the IP address, country, and username, to the attacker using Telegram. The malware also checks if it has already been installed or if antivirus tools are present. If so, the malware may remove itself to avoid being detected.

In some cases, ClipBanker installs a crypto miner, which uses the victim’s device to generate digital coins for the attackers. Kaspersky warns that the access gained through this attack could be sold to others for more serious misuse.

On April 1, Kaspersky reported that discounted Android smartphones were sold with pre-installed malware called Triada. What is it? Read the full story.