A hacking group known as StrongPity is spreading malicious Notepad++ installers to infect targets in Belgium and Italy. The Notepad++ is a free text and source code editor for Windows used in various organizations.
The malicious Notepad++ installers
The attack tactic of using a malicious installer is very efficient and successful for hiding malware inside a tool.
- A malicious installer was discovered by a threat analyst called blackorbird, which Minerva Labs studied and provided insights about.
- The malware has the ability to steal files, along with other data.
- In their previous campaign, attackers were targeting individuals interested in Truecrypt and WinRaR software.
How does it work?
- Once the installer is executed, it creates a folder named Windows Data at C:\ProgramData\Microsoft and drops three files - npp[.]8[.]1[.]7[.]Installer[.]x64[.]exe, winpickr[.]exe, and ntuis32[.]exe.
- The installation of the code editor continues as usual and the victim doesn’t notice anything that raises an alert.
- Moreover, it creates a "PickerSrv" service for malware persistence.
- The PickerSrv service executes another file ntuis32[.]exe (a keylogger component) as an overlapped window.
- The keylogger monitors all keystrokes of the user and saves them to hidden system files at C:\ProgramData\Microsoft\WindowsData. This is constantly checked by the winpickr[.]exe process.
- If a new log file is spotted, the component makes a contact with C2 for uploading the stolen data.
- Once the transfer of data is done, the original log is deleted to remove any traces of malicious actions.
Conclusion
Cybercriminals are known for abusing the trust of users in well-known or widely used software in enterprises. Notepad++ users are suggested to ensure that the installer is downloaded from the official website and always use the latest updated version.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ed42_shutterstock_1819194170.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_399778786.jpg)
