More and more malware developers are turning to legitimate hosting services to store malicious components. According to experts, a variant of the Gamarue malware is designed to download additional components from the popular code repository SourceForge.
Four files have been identified in the initial phase of the attack analyzed by Trend Micro: a shortcut file that appears to point to an external drive, a .com file, a desktop.ini file, and the main Gamarue file disguised as thumbs.db.
The shortcut file points to the .com file, which runs another executable disguised as desktop.ini. This desktop.ini file drops the main Gamarue file, detected by Trend Micro as “WORM_GAMARUE.LJG.”
When the main file is decrypted, it updates itself and starts downloading additional malicious components from a SourceForge project called “tradingfiles.”
The same user has created two other SourceForge projects that host malicious Gamarue files: “stanteam” and “ldjfdkladf.” Experts say that new files have been uploaded to these projects starting with June 1.
Once it infects a computer, Gamarue allows cybercriminals to take over the device and steal information from it. The malware can also be utilized to launch attacks on other systems from an infected machine.
The threat spreads via removable drives and the notorious BlackHole exploit kit.