Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:4859B3A002CCCF60A5093C0944DC78C7
HistoryJul 01, 2024 - 12:44 p.m.

Indian Software Firm's Products Hacked to Spread Data-Stealing Malware

2024-07-0112:44:00
The Hacker News
thehackernews.com
10
indian company
conceptworld
trojanized installers
cybersecurity firm
supply chain compromise
data-stealing malware
rapid7
breach
command-and-control server
google chrome
mozilla firefox
cryptocurrency wallets
keystroke logging
clipboard contents
scheduled task
nefarious modifications

7 High

AI Score

Confidence

High

JSON

Data-Stealing Malware

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.

The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.

“The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads,” the company said, adding the malicious versions had a larger file size than their legitimate counterparts.

Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.

Cybersecurity

It’s currently not clear how the official domain “conceptworld[.]com” was breached to stage the counterfeit installers. However, once launched, the user is prompted to proceed with the installation process associated with the actual software, while it’s also designed to drop and execute a binary “dllCrt32.exe” that’s responsible for running a batch script “dllCrt.bat.”

Besides establishing persistence on the machine, it’s configured to execute another file (“dllBus32.exe”), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.

This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It’s also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.

“The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer,” Rapid7 said.

Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7 High

AI Score

Confidence

High

JSON