Conceptworld installers dropped dllFake

Conceptworld's download site became the delivery point. Users went to the official domain for Notezilla, RecentX, or Copywhiz and received larger, unsigned installers that still launched the real product setup. The visible install looked ordinary. The compromise ran beside it.

Rapid7 found the staged files under %LOCALAPPDATA%\Microsoft\WindowsApps\. A wrapper started dllCrt.bat, which created a hidden scheduled task named Check dllHourly32. Three hours later, dllBus32.exe launched the main batch logic and began talking to SFTP infrastructure over port 2265.

The malware family, which Rapid7 calls dllFake, was built for theft and follow-on execution. It collected Chrome and Firefox credentials, targeted cryptocurrency wallets, logged keystrokes, dumped clipboard contents, archived selected local files, and used curl.exe and 7z.exe to move stolen data to attacker servers.

Rapid7 notified Conceptworld on June 24, 2024. Within 12 hours, Conceptworld removed the malicious installers and replaced them with legitimate signed copies. The record keeps all six installers as separate artifacts because each file has its own hash and could appear independently in endpoint evidence.

Motive

Financial Gain Data Theft

Cause

Website Compromise

Transitive

No

• Locationdistribution: conceptworld.com
• familydllFake
• domainconceptworld.com
• ip5.180.185.42
• ip50.2.108.102
• ip50.2.191.154
• ip104.140.17.242
• ip104.206.2.18
• ip104.206.57.117
• ip104.206.95.146
• ip104.206.220.113
• ip170.130.34.114
• ip185.137.137.74
• ip212.70.149.210
• port2265
• filedllBus.bat
• filedllCrt.bat
• filedllCrt.xml
• filedllCrt32.exe
• filedllBus32.exe
• fileApps.zip
• fileUpdt.zip
• scheduled_taskCheck dllHourly32
• path%LOCALAPPDATA%\Microsoft\WindowsApps\
• file_sha256dllBus.bat 1fa84b696b055f614ccd4640b724d90ccad4afc035358822224a02a9e2c12846
• file_sha256dllCrt.xml cdc1f2430681e9278b3f738ed74954c4366b8eff52c937f185d760c1bbba2f1d
• file_sha256dllCrt32.exe fdc84cb0845f87a39b29027d6433f4a1bbd8c5b808280235cf867a6b0b7a91eb
• file_sha256dllCrt.bat a89953915eabe5c4897e414e73f28c300472298a6a8c055fcc956c61c875fd96
• file_sha256dllBus32.exe 70bce9c228aacbdadaaf18596c0eb308c102382d04632b01b826e9db96210093
• file_sha256Apps.zip ca6ff18ee006e7ab3cb42fc541b08ce4231dadfab0cce57b1c126db3df9f1297
• file_sha256dllTemp32.exe 33e4d5eed3527c269467eec2ac57ae94ae34fd1d0a145505a29c51cf8e83f1b9
• file_sha256dllCache32.exe 03761d9fd24a2530b386c07bf886350ae497e693440a9319903072b93a30c82d
• file_sha256Updt.zip 6487a0dc9dfbbaa6557af096178a1361e49762a41500aa03f17df5d3b159bf4e
• file_sha256dllChrome32.exe de4e03288071cdebe5c26913888b135fb2424132856cc892baea9792d6c66249

• Indian Software Firm's Products Hacked to Spread Data-Stealing Malwarethehackernews.com
• Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhizrapid7.com