Installers for three different software products developed by Indian company Conceptworld have been trojanized to spread information-stealing malware.
The installers are Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain breach on June 18, 2024. The problem has since been patched by Conceptworld as of June 24 within 12 hours of responsible disclosure.
“The installers have been trojanized to run malware that steals information and has the ability to download and run additional payloads,” the company said in a statement. saidadding that the malicious versions have a larger file size than their legitimate counterparts.
Specifically, the malware is designed to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also configures persistence with a scheduled task to run the main payload every three hours.
It is currently unclear how the official domain “conceptworld(.)com” was hacked to create fake installers. However, once launched, the user will be prompted to proceed with the installation process associated with the actual software, while it is also designed to uninstall and execute the “dllCrt32.exe” binary, which is responsible for executing the “dllCrt.bat” batch script.
In addition to installing security on the machine, it is configured to execute another file (“dllBus32.exe”) which in turn establishes a connection to the command and control server (C2) and includes functionality to steal sensitive data as well as receiving and launching more payloads.
This includes collecting credentials and other information from Google Chrome, Mozilla Firefox, and several cryptocurrency wallets (such as Atomic, Coinomi, Electrum, Exodus, and Guarda). It is also capable of collecting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and capturing clipboard contents.
“The malicious installers observed in this case are unsigned and have a file size that does not match the legitimate installer copies,” Rapid7 said.
Users who downloaded the installer for Notezilla, RecentX, or Copywhiz in June 2024 are advised to check their systems for signs of a breach and take appropriate measures, such as re-imaging the affected ones, to undo the nefarious modifications.