Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.
The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.
“The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads,” the company said, adding the malicious versions had a larger file size than their legitimate counterparts.
Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.
It’s currently not clear how the official domain “conceptworld[.]com” was breached to stage the counterfeit installers. However, once launched, the user is prompted to proceed with the installation process associated with the actual software, while it’s also designed to drop and execute a binary “dllCrt32.exe” that’s responsible for running a batch script “dllCrt.bat.”
Besides establishing persistence on the machine, it’s configured to execute another file (“dllBus32.exe”), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.
This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It’s also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.
“The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer,” Rapid7 said.
Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.