Skip to main content
Two weeks ago we reported on a
fake SourceForge website
, which was used to distribute malware. We have since seen more of these fake sites this past week:
sourceforgebulgaria.net, registered on 05/06/2013 sourceforgesweden.net, registered on 05/06/2013 sourceforgecyprus.net, registered on 05/02/2013 sourceforgeniger.net, registered on 05/01/2013 sourceforgeestonia.net, registered on 04/26/2013 sourceforgegrenada.net, registered on 04/26/2013 sourceforgepalau.net, registered on 04/22/2013 sourceforgeecuador.net, registered on 04/21/2013 sourceforgeindiana.net, registered on 04/20/2013 sourceforgemorocco.net, registered on 04/19/2013 sourceforgemyanmar.net , registered on 04/19/2013 sourceforgeyemen.net, registered on 04/06/2013
Each domain has been registered with different WHOIS information, but with the same registrar. All of them are unreachable today (DNS does not resolve).
We were however able to obtain two malicious files found from the these websites before they went dark:
The files are very similar to the malicious files from
which we analyzed earlier. They drop and hide malicious binaries into the Recycle Bin and are detected as the ZeroAccess Trojan.
It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.
Get the latest Zscaler blog updates in your inbox
Subscription confirmed. More of the latest from Zscaler, coming your way soon!