On June 18th, 2024, Rapid7 began investigating suspicious activity in a customer’s environment, which was traced back to the installation of Notezilla, a Windows program for creating sticky notes. Alongside Notezilla, installers for RecentX and Copywhiz were also found to be trojanized. These programs, distributed by the India-based company Conceptworld, were being served from the official domain conceptworld[.]com.
Upon analysis, Rapid7 discovered that the installation packages for all three programs contained information-stealing malware capable of downloading and executing additional payloads. The malware could steal browser credentials, cryptocurrency wallet information, log clipboard contents, and keystrokes. It also persisted via a scheduled task that executed the primary payload every three hours. The trojanized installers were larger in file size than their legitimate counterparts due to the included malware.
On June 24th, 2024, Rapid7 contacted Conceptworld to disclose the backdoored installers in line with their vulnerability disclosure policy. Conceptworld responded promptly, confirming the issue within 12 hours and replacing the malicious installers with legitimate, signed versions. Rapid7 commended Conceptworld for their swift action in addressing the security breach.
The malicious installers had been available since early June 2024, as confirmed by file submissions to VirusTotal. The malware, internally referred to as dllFake by Rapid7, had been in distribution since at least January 2024. Users searching for Conceptworld software through popular search engines were likely directed to the official domain, where they unknowingly downloaded the trojanized installers.
Reference:
