Rapid7 discovered on June 18 that the installation files for Notezilla, Recentx, and Copywhiz programs distributed by Indian company ConceptWorld were infected with malicious software capable of downloading and executing additional files.
After contacting ConceptWorld on June 24, Rapid7 was able to swiftly eliminate the threat. Within 12 hours, ConceptWorld replaced the malicious installers with genuine, signed copies.
ConceptWorld offers three software products: Notezilla for creating notes on Windows, Recentx for storing recent files and data, and Copywhiz for improving copying operations. Free trial versions of each program are available on the official website.
The analysis revealed that the official installation files contained malicious software alongside legitimate installers. This malicious software was capable of stealing data from browsers and cryptocurrency wallets, intercepting contents of the exchange buffer, recording keystrokes, and downloading and executing additional files.
Malicious copies of the installers have been circulating since June, but the malware itself belongs to a family of malicious software dating back to at least January 2024, known as DLLFAKE within Rapid7 due to its naming scheme.
The Trojan installations for both 32-bit and 64-bit versions of Notezilla, Copywhiz, and Recentx were spread from the official ConceptWorld website. Users who downloaded these programs from popular search engine results were likely to get infected.
Analysis of the malicious code found that the Notezilla installer file was packed using Smart Install Maker. Rapid7 was able to unpack and remove most of the malicious content, ensuring that users only saw the legitimate software installation window without suspecting any harmful activity.
For more information on the properties of notezillasetup.exe, visit Rapid7.