Indian software company Conceptworld has had its website compromised in a supply chain attack that distributed info-stealing malware through the trojanized versions of the company’s apps named Notezilla, RecentX, and Copywhiz.
The compromise appears to have occurred in early June 2024, according to cybersecurity firm Rapid7 that discovered the incident. An investigation was initiated after the company detected suspicious activity within a customer's environment.
The investigation revealed that the suspicious behavior originated from the installation of Notezilla, a desktop sticky notes application. Further analysis of the installation packages for Notezilla, RecentX, and Copywhiz confirmed that all three installers had been trojanized to execute information-stealing malware named dllFake.
The malware embedded in these installers is capable of pilfering browser credentials and cryptocurrency wallet information, logging of clipboard contents and keystrokes, and to download and execute additional payloads. Once the malware infects a system, it establishes persistence by setting up a scheduled task that re-executes the primary payload every three hours.
VirusTotal submissions indicate that these malicious installers have been circulating since early June 2024. The dllFake malware family has reportedly been in distribution since at least January 2024.
On June 24, 2024, Rapid7 reached out to Conceptworld to disclose the presence of the backdoored installers. Conceptworld confirmed the issue within 12 hours and replaced the compromised installers with legitimate, signed versions.