Software Productivity Tools Hijacked to Deliver Infostealers

An India-based software company in June was inadvertently distributing information-stealing malware packaged with its primary software products.

Conceptworld Corporation sells three auto-logical software tools: Notezilla, a sticky notes app; RecentX, a tool for storing recently used files, folders, applications, and clipboard data; and Copywhiz, used for copying, organizing, and backing up files.

A few weeks ago, researchers from Rapid7 discovered that the installation packages associated with all three had been Trojanized, secretly carrying rudimentary infostealing malware. Rapid7 informed Conceptworld on June 24. Within 12 hours, the company had removed the malicious installers and replaced them with legitimate, signed copies.

Hijacking Software Installers

To sneak their malware where users would download it, Conceptworld's attackers married the company's legitimate software installers with their own.

Exactly how they achieved this is not known, says Tyler McGraw, detection and response analyst for Rapid7, but "they would only need the access to be able to swap files on the server hosting the downloads. This could be accomplished, for example, via exploitation of a vulnerability on the vendor's Web servers to allow for arbitrary file upload."

The resulting installer packages were unsigned, and an extremely eagle-eyed user might have noticed that what they downloaded was larger than the file size as stated on the company's website (thanks to the malware and its dependencies).

Otherwise, few signs would have indicated anything was amiss. After initial execution, a user would have seen only a pop-up from the legitimate installer, not the malicious one.

dllFake

The researchers named the malware at issue "dllFake." In reviewing VirusTotal submissions, they discovered that while its installers have only been around since early June, dllFake appears to belong to an as-yet-unnamed malware family in the wild since at least January.

The program is capable of stealing information from cryptocurrency wallets as well as from Google Chrome and Mozilla Firefox. It can also log keystrokes and clipboard data, and download and execute further payloads.

"The implementation of the malware suggests a low level of sophistication," McGraw explains. "For example, several of the key indicators have been left in plaintext and usage of compiled executables is limited in favor of batch scripts. In fact, the only command-and-control address embedded in one of the executables (semi-obfuscated) is overwritten with those stored in a plaintext list, and thus, it is not actually used during successful execution, despite being one of the only active SFTP servers observed."

Overall, he warns, "Any software download — especially those that are freely available — should be treated with an appropriate level of suspicion until legitimacy can be determined. Besides comparing file sizes, files can also be verified in several other ways, such as signature validation and hash reputation. Many freely available sandboxes are also available for users to submit software and view its execution behavior."