Indian Software Firm's Products Hacked to Spread Data-Stealing Malware

In a recent cybersecurity breach, three popular software products from the Indian firm Conceptworld—Notezilla, RecentX, and Copywhiz—were compromised to distribute data-stealing malware. Cybersecurity firm Rapid7 discovered the supply chain compromise on June 18, 2024, and Conceptworld quickly remediated the issue by June 24, within 12 hours of the responsible disclosure.

The Nature of the Compromise

Rapid7 reported that the installers for these applications were trojanized to execute information-stealing malware capable of downloading and executing additional payloads. The malicious versions of the installers were notably larger in file size compared to their legitimate counterparts, which was one of the key indicators of the compromise.

The Capabilities of the Malware

The malware embedded in the trojanized installers has extensive capabilities to steal sensitive data and maintain persistence on infected systems. Specifically, it can:

  • Steal Browser Credentials and Cryptocurrency Wallet Information: The malware targets browsers and cryptocurrency wallets, including Google Chrome, Mozilla Firefox, Atomic, Coinomi, Electrum, Exodus, and Guarda.
  • Log Clipboard Contents and Keystrokes: It monitors and logs everything copied to the clipboard and keystrokes, potentially capturing passwords, personal information, and other sensitive data.
  • Download and Execute Additional Payloads: The malware can download additional malicious software from a command-and-control (C2) server, further compromising the infected system.
  • Establish Persistence: It sets up a scheduled task to execute the main payload every three hours, ensuring it remains active on the system.

How the Malware Works

Once the trojanized installer is launched, the user is prompted to proceed with the installation process of the actual software. During this process, a malicious binary named "dllCrt32.exe" is executed, which runs a batch script "dllCrt.bat." This script is responsible for establishing persistence and executing another file, "dllBus32.exe," which connects to a C2 server and starts stealing data.

The malware gathers credentials from browsers and cryptocurrency wallets, harvests files with specific extensions (.txt, .doc, .png, and .jpg), logs keystrokes, and grabs clipboard contents. This comprehensive data-stealing operation can have severe consequences for affected users, leading to potential financial losses and identity theft.

Response and Recommendations

Conceptworld responded swiftly to the breach, remediating the issue within 12 hours of its discovery. However, users who downloaded the installers for Notezilla, RecentX, or Copywhiz in June 2024 should take immediate action to check their systems for signs of compromise.

Steps to Take:

  1. Check for Signs of Compromise: Look for unexpected behavior, larger installer file sizes, and any unusual scheduled tasks.
  2. Re-image Affected Systems: If compromised, re-image the affected systems to remove any malicious software completely.
  3. Change Passwords: Change passwords for any accounts that may have been compromised, especially for browsers and cryptocurrency wallets.
  4. Use Security Software: Run a comprehensive scan using reputable security software to detect and remove any remaining malware.

This incident highlights the growing threat of supply chain attacks in the software industry. It is crucial for both software vendors and users to remain vigilant and take proactive measures to ensure the integrity and security of their systems. By following best practices for cybersecurity and staying informed about potential threats, users can protect themselves from similar attacks in the future.

For more detailed information about the breach and how to protect your systems, you can refer to the official reports by Rapid7 and Conceptworld.

Stay safe and secure online!