Analysis Summary

Three separate software product installers from an Indian company have been compromised to spread malware that steals personal information.

The supply chain compromise was found on June 18, 2024, by cybersecurity researchers and the installers match Notezilla, RecentX, and Copywhiz. As of June 24, the company has fixed the issue after a responsible 12-hour disclosure. The installers were compromised by trojanized software that can download and run more payloads in addition to information-stealing malware. According to the firm, the infected versions were greater in file size than the legitimate versions.

In particular, the malware can record keystrokes and clipboard contents, download and run additional payloads on compromised Windows PCs, and steal browser credentials and cryptocurrency wallet information. Additionally, it establishes persistence by executing the main payload every three hours through a scheduled task.

At this point, it's unclear how the fake installers were staged after the company's official site was compromised. When the software is opened, however, it prompts the user to continue with the software installation procedure. Additionally, it is intended to drop and run a binary called "dllCrt32.exe" that is in charge of executing a batch script called "dllCrt.bat."

In addition to being set up to persist on the system, it is programmed to run a different file ("dllBus32.exe") that connects to a command-and-control (C2) server and includes the ability to retrieve and execute other payloads in addition to stealing confidential information. This entails obtaining login passwords and additional data from various cryptocurrency wallets (such as Atomic, Coinomi, Electrum, Exodus, and Guarda) as well as Mozilla Firefox and Google Chrome. It can also record keystrokes, take screenshots, and collect files with a particular set of extensions (.txt, .doc, .png, and .jpg).

In this instance, the malicious installers were found to be unsigned and to have files that differ in size from those of the genuine installation. It is advised that users who downloaded an installation for Notezilla, RecentX, or Copywhiz in June 2024 check their systems for indicators of compromise and take the necessary steps to reverse the malicious changes, such as re-imaging the compromised computers.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Cryptocurrency Theft
• Keylogging

Indicators of Compromise

SHA1

• 33865d7efbb75c69b296e1fc3cfc31f440d7b15d
• d5bac4f5440801b6d9d52c3431c5d4f2d568ec1b
• 8c21f78e8e1ce2b3b1f3f49ec6723bfc44257768
• 76922473c0778b4d550da93f70bb1c15efb9c6a0
• abe8bf66368364edce4fef9c7db4a3dcb93881b4
• ab02b62fe582cb476630289adfe3e5ca74458a5e
• a744d075d6977a343e0f493afc0eacd2475ae4e6
• 4d80c628dce8bf0fbe2bb4f84944dbdfd80b63cb
• 55fb8dd0a5762600f0b6a3c39fb497da3572e3c8
• 724abc4ff27ab70064f14cdb72b497dfe8c98354
• 9fc0a10aeed23c1130119734e641cfe0763f855e
• 5f45702c0bcb1fa22d48e5f4f47bac45b13e1093

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.