Indian Software Company’s Products Compromised to Spread Data-Collecting Malware
Instalments for three distinct software products designed by an Indian organization named Conceptworld have been corrupted to disseminate data-gathering malware.
The instalments pertain to Notezilla, RecentX, and Copywhiz, as per cybersecurity company Rapid7, which detected the supply chain infringement on June 18, 2024. The problem has subsequently been addressed by Conceptworld as of June 24 within 12 hours of responsible disclosure.
“The instalments had been corrupted to run data-gathering malware with the ability to download and execute additional payloads,” the company stated, remarking the counterfeit versions had a larger file size compared to their legitimate equivalents.
In particular, the malware is furnished to pilfer browser credentials and cryptocurrency wallet details, record clipboard contents and keystrokes, and download and execute additional payloads on compromised Windows systems. It also establishes persistence by using a scheduled task to run the main payload every three hours.
It’s presently unclear how the official domain “conceptworld[.]com” was breached to introduce the forged instalments. Nonetheless, once installed, the user is prompted to continue with the installation process linked with the real software, alongside dropping and executing a binary “dllCrt32.exe” responsible for executing a batch script “dllCrt.bat.”
Aside from establishing persistence on the device, it’s set up to execute another file (“dllBus32.exe”), which, in turn, forms connections with a command-and-control (C2) server and integrates functionality to steal confidential data and fetch and execute more payloads.
This comprises collecting credentials and other data from Google Chrome, Mozilla Firefox, and various cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It is also capable of amassing files with specific extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and retrieving clipboard contents.
“The malevolent instalments observed in this instance lack signatures and possess a file size that deviates from copies of the genuine installer,” Rapid7 highlighted.
Users who have installed an installer for Notezilla, RecentX, or Copywhiz in June 2024 are advised to inspect their systems for signs of compromise and take necessary actions – such as re-imaging the affected ones – to reverse the malevolent modifications.
About Author
