Supply Chain Compromise Leads to Trojanized Notezilla的安装程序, RecentX, Copywhiz

最后更新于2024年6月28日星期五18:00:03 GMT

The following Rapid7 analysts contributed to this research: Leo Gutierrez, 泰勒麦格劳, 莎拉•李, 托马斯·埃尔金斯.

执行概要

周二, 6月18日, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of Notezilla, a program that allows for the creation of sticky notes on a Windows desktop. Notezilla的安装程序, 以及RecentX和Copywhiz等工具, are distributed by the India-based company Conceptworld at the official domain conceptworld [.]com. After analyzing the installation packages for all three programs, Rapid7 discovered that the installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads.

信息披露

On Monday, June 24th, 2024, Rapid7 contacted Conceptworld to disclose the backdoored installers being hosted on conceptworld [.]com 根据… Rapid7的漏洞披露策略. 12小时内, Conceptworld confirmed and remediated the issue by removing the malicious installers from conceptworld [.]com 把它们换成合法的，有签名的副本. Rapid7 is grateful to Conceptworld for their prompt action on this issue.

Overview

Conceptworld is an India-based company offering three different software products: Notezilla, which allows users to create sticky notes on a Windows desktop; RecentX, which stores recently used files/applications/clipboard data; and Copywhiz, 这改进了文件复制和备份操作. 官方提供免费试用下载 conceptworld [.]com 每个软件包的站点.

所提供的安装包 conceptworld [.]com 在调查的时候, however, 与合法安装程序一起执行恶意软件, 没有签名, 并且与下载页面上声明的文件大小不匹配. The differences in the file sizes are due to the malware and its dependencies, which increases the size of the compromised installation packages.

The malware Rapid7 observed contains the functionality to steal browser credentials and crypto currency wallet information, 记录剪贴板内容和按键, 下载并执行额外的有效载荷. 感染系统后, the malware persists via a scheduled task that executes the primary payload every three hours.

基于提交给VirusTotal的文件, the malicious copies of the installers have existed since early June of 2024. 木马安装程序提供的恶意软件有效载荷, however, seem to belong to a nameless malware family that has been in distribution since at least January of 2024. Rapid7内部将这个恶意软件家族称为 dllFake because of the naming scheme used for several of the malware payloads.

技术分析

要深入了解恶意软件的有效载荷, we will analyze the malicious installer that was served for Notezilla.

首次访问

Rapid7 determined that trojanized installers for the 32-bit and 64-bit versions of Notezilla, Copywhiz, 和RecentX是, 在调查的时候, 由官方网站提供服务 conceptworld [.]com. Any users searching for this software via a popular search engine at the time were most likely to find the official domain as the first result, 然后引导他们下载恶意软件吗.

执行

下面提供的安装程序 conceptworld [.]com 在调查的时候Notezilla是 NotezillaSetup.exe, which, based on static analysis, is packed using software called 智能安装制造商(5.04).

Figure 1. 软件属性 NotezillaSetup.exe.

使用 sim_unpacker 该工具的插件 UniExtract2, we were able to unpack and acquire most of the contents of the installation package, 例如嵌入的文件和配置信息. The configuration file contains references to the legitimate software installer for Notezilla, 它被放入 %TEMP% 在执行期间, and multiple files that are dropped into the installation directory (i.e.(staging文件夹) % LOCALAPPDATA % \ WindowsApps \ \微软 在执行期间.

Figure 2. 使用sim-unpacker工具输出.

Figure 3. 的内容 installer.config.

一旦执行, NotezillaSetup.exe 然后执行该文件吗 dllCrt32.exe 从暂存目录 % LOCALAPPDATA % \ WindowsApps \ \微软 通过WINAPI调用 ShellExecuteA 和动词搭配 open. 然后再打一个电话给 ShellExecuteA 执行文件 NotezillaSetup.exe，合法安装程序的副本，来自 %TEMP%. 结果是, the only thing seen by the end user after initial execution is the installation window pop-up for the legitimate installer, prompting the user to proceed with the installation process for Notezilla.

Figure 4. Typical Process Tree for Initial 执行 of the Trojanized Installer.

Figure 5. The User’s View after the Infection has Already Begun in the Background.

The file dllCrt32.exe is a relatively small (~10KB) program that only serves as a wrapper to call CreateProcessA 执行文件 dllCrt.bat.

Figure 6. 的内容 dllCrt.bat.

批处理文件 dllCrt.bat 然后创建一个名为?的隐藏计划任务 检查dllHourly32 using schtasks.exe and an XML file that was previously dropped into the staging directory at % LOCALAPPDATA % \ \ WindowsApps \ dllCrt微软.xml. 计划任务 检查dllHourly32 然后执行该文件吗 % LOCALAPPDATA % \ \ WindowsApps \ dllBus32微软.exe 最初创建后每三小时一次, which means that the primary malware payload will not be executed until at least three hours after the user originally executed the trojanized installer.

Figure 7. 内部命令行组装 dllBus32.exe.

When dllBus32.exe 执行时，它还用作调用 CreateProcessA, though it initially retrieves several important command line parameters. 首先，调用CRT库函数 sprintf 连接一个硬编码的IPv4地址. 然后，第二个电话 sprintf concatenates the assembled IPv4 address with several other arguments to be passed to the batch file dllBus.bat. Finally, CreateProcessA 用完全组装的命令行调用.

Figure 8. 的开头几行 dllBus.bat.

的命令行参数 dllBus.bat via dllBus32.exe 包含IPv4地址, SFTP端口, ZIP存档有效负载的密码, 两组SFTP凭据, and the staging directory where the majority of the malware’s files are located.

批处理文件 dllBus.bat contains functionality to facilitate the theft of information from 谷歌Chrome, Mozilla Firefox, 以及多种加密货币钱包. 的副本 curl.exe dropped by the installer is also used to connect to a list of command-and-control (C2) addresses hosting SFTP servers. The curl commands are used to download an updated list of C2 addresses, 以明文形式存储在文件中 dll_srv.txt, and to download and execute additional payloads saved within encrypted ZIP archives named Updt.zip, Apps.zip, and BB.zip. The batch script will also attempt to compress all files on the infected system that have specific file extensions and exist in directories that are not on a hardcoded blacklist (for exfiltration). 所有被盗数据最终都使用 7z.exe 并使用curl直接上传到所选的C2 SFTP服务器.

的有效载荷 Apps.zip and Updt.zip 创建的可执行文件 PyInstaller, which means the original Python script used to create the executables can be recovered trivially using a 公开可用的提取器. 的有效载荷 dllChrome32.exe，包含在 Updt.zip, is used to facilitate theft of credentials from 谷歌Chrome’s database that are then saved into the file %临时% \ chrm.txt 格式为:URL，用户名，密码.

Figure 9. 的主要功能 dllChrome32.exe.

的有效载荷 dllTemp32.exe and dllCache32.exe 存储在 Apps.zip contain a clipboard stealer and a keylogger, where the results are saved to the files cl.txt and kl.txt，分别在暂存目录at % LOCALAPPDATA % \ WindowsApps \ \微软.

Figure 10. 复制到剪贴板的所有数据被转储到 cl.txt when dllTemp32.exe 正在运行.

Figure 11. dllCache32.exe 日志按键到 kl.txt 运行时.

Rapid7 did not observe any of the identified SFTP servers hosting the third payload, BB.zip，在写作的时候，虽然内容 dllBus.bat 指示它包含可执行文件 srvBus32.exe and srvCrt32.exe，其功能未知.

缓解指导

Rapid7 recommends verifying the file integrity of freely available software. Check that the file hash and properties of the downloaded file(s) match those provided by the official distributor and/or that they contain a valid and relevant signature. The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer, 就像官方下载页面上写的那样.

如果是Notezilla安装程序, RecentX, Copywhiz在一个月内在一个系统上执行过, Rapid7 recommends checking for signs of compromise due to the malicious installers detailed in this blog. The primary indicators of infection include the hidden scheduled task 检查dllHourly32 and a persistent running instance of the Windows Command Prompt, cmd.exe，使出站网络连接通过 curl.exe.

如果发现妥协的证据, Rapid7 recommends re-imaging affected systems to a known good baseline to eradicate any changes made by the malware.

Rapid7客户

InsightIDR, 管理检测和响应, and pg电子 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

斜接丙氨酸&CK技术

妥协指标

网络指标(nbi)

hbi (Host-Based Indicators)