The trend is now for malware developers to turn to legitimate hosting services to store malicious components.
A variant of the Gamarue malware is able to download additional components from the popular code repository SourceForge, researchers at Trend Micro said.
Four files were in the initial phase of the attack analyzed by Trend Micro: A shortcut file that appears to point to an external drive, a .com file, a desktop.ini file, and the main Gamarue file disguised as thumbs.db.
The shortcut file points to the .com file, which runs another executable disguised as desktop.ini. This desktop.ini file drops the main Gamarue file, detected by Trend Micro as “WORM_GAMARUE.LJG.”
When the main file ends up decrypted, it updates itself and starts downloading additional malicious components from a SourceForge project called “tradingfiles.”
The same user created two other SourceForge projects that host malicious Gamarue files: “Stanteam” and “ldjfdkladf.” Experts said new files uploaded to these projects starting June 1.
Once it infects a computer, Gamarue allows cyber criminals to take over the device and steal information from it. The malware can also launch attacks on other systems from an infected machine.
The threat spreads via removable drives and the BlackHole exploit kit.