Software Productivity Tools Hijacked to Deliver Infostealers

  /     /     /  
Publicated : 23/11/2024   Category : security


Software Productivity Tools Hijacked to Deliver Infostealers


Innocuous little Windows programs were carrying cheap malware for weeks, exposing customers of the India-based software vendor to data theft.



An India-based software company in June was inadvertently distributing information-stealing malware packaged with its primary software products.
Conceptworld Corporation sells three auto-logical software tools: Notezilla, a sticky notes app; RecentX, a tool for storing recently used files, folders, applications, and clipboard data; and Copywhiz, used for copying, organizing, and backing up files.
A few weeks ago, researchers from Rapid7 discovered that the installation packages associated with all three had been Trojanized, secretly
carrying rudimentary infostealing malware
. Rapid7 informed Conceptworld on June 24. Within 12 hours, the company had removed the malicious installers and replaced them with legitimate, signed copies.
To sneak their malware where users would download it, Conceptworlds attackers married the companys legitimate software installers with their own.
Exactly how they achieved this is not known, says Tyler McGraw, detection and response analyst for Rapid7, but they would only need the access to be able to swap files on the server hosting the downloads. This could be accomplished, for example,
via exploitation of a vulnerability
on the vendors Web servers to allow for arbitrary file upload.
The resulting installer packages were unsigned, and an extremely eagle-eyed user might have noticed that what they downloaded was larger than the file size as stated on the companys website (thanks to the malware and its dependencies).
Otherwise, few signs would have indicated anything was amiss. After initial execution, a user would have seen only a pop-up from the legitimate installer, not the malicious one.
The researchers named the malware at issue dllFake. In reviewing VirusTotal submissions, they discovered that while its installers have only been around since early June, dllFake appears to belong to an as-yet-unnamed malware family in the wild since at least January.
The program is
capable of stealing information
from cryptocurrency wallets as well as from Google Chrome and Mozilla Firefox. It can also log keystrokes and clipboard data, and download and execute further payloads.
The implementation of the malware suggests a low level of sophistication, McGraw explains. For example, several of the key indicators have been left in plaintext and usage of compiled executables is limited in favor of batch scripts. In fact, the only command-and-control address embedded in one of the executables (semi-obfuscated) is overwritten with those stored in a plaintext list, and thus, it is not actually used during successful execution, despite being one of the only active SFTP servers observed.
Overall, he warns, Any software download — especially those that are freely available — should be treated with an appropriate level of suspicion until legitimacy can be determined. Besides comparing file sizes, files can also be verified in several other ways, such as signature validation and hash reputation. Many freely available sandboxes are also available for users to submit software and view its execution behavior.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Software Productivity Tools Hijacked to Deliver Infostealers