Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.
一个名为Conceptworld的印度公司开发的三款软件产品的安装程序已被植入特洛伊木马,用于传播窃取信息的恶意软件。
The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.
根据网络安全公司Rapid7的说法,这些安装程序对应Notezilla、RecentX和Copywhiz,该公司于2024年6月18日发现了供应链受损情况。2024年6月24日,Conceptworld在负责披露后12小时内解决了这个问题。
"The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads," the company said, adding the malicious versions had a larger file size than their legitimate counterparts.
"这些安装程序被植入了执行窃取信息的恶意软件,该软件具有下载和执行其他有效载荷的能力,"该公司说道,并补充说,恶意版本的文件大小比它们的合法对应品要大。
Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.
具体来说,这种恶意软件具有窃取浏览器凭据和加密货币钱包信息的功能,记录剪贴板内容和按键记录,以及在感染的Windows主机上下载和执行其他有效载荷的功能。它还利用定时任务建立持久性,每三小时执行主有效载。
It's currently not clear how the official domain "conceptworld[.]com" was breached to stage the counterfeit installers. However, once launched, the user is prompted to proceed with the installation process associated with the actual software, while it's also designed to drop and execute a binary "dllCrt32.exe" that's responsible for running a batch script "dllCrt.bat."
目前尚不清楚官方域名"conceptworld[.]com"是如何被入侵以部署伪装的安装程序。然而,一旦启动,用户将被提示继续与实际软件相关的安装过程,同时还设计了释放并执行一个名为"dllCrt32.exe"的二进制文件,负责运行一个批处理脚本"dllCrt.bat"。
Besides establishing persistence on the machine, it's configured to execute another file ("dllBus32.exe"), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.
除了在计算机上建立持久性外,它还配置执行另一个文件("dllBus32.exe"),此文件与命令和控制(C2)服务器建立连接,并具有窃取敏感数据以及检索和运行更多有效载荷的功能。
This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It's also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.
这包括从Google Chrome、Mozilla Firefox和多个加密货币钱包(如Atomic、Coinomi、Electrum、Exodus和Guarda)中收集凭据和其他信息。它还能够收集与特定扩展名匹配的文件(.txt、.doc、.png和.jpg)、记录按键记录以及抓取剪贴板内容。
"The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer," Rapid7 said.
"Rapid7表示,在这种情况下观察到的恶意安装程序未经签名,且文件大小与合法安装程序的副本不一致。
Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.
建议于2024年6月下载过Notezilla、RecentX或Copywhiz的用户检查其系统是否存在受损迹象,并采取适当措施,如重新镜像受影响的系统,以消除恶意修改。
参考资料
[1]https://thehackernews.com/2024/07/indian-software-firms-products-hacked.html
原文始发于微信公众号(知机安全):印度软件公司产品安装程序遭篡改传播恶意软件
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论