Chinese language customers on the lookout for reputable software program resembling Notepad++ and VNote on engines like google like Baidu are being focused with malicious advertisements and bogus hyperlinks to distribute trojanized variations of the software program and finally deploy Geacon, a Golang-based implementation of Cobalt Strike.
“The malicious web site discovered within the notepad++ search is distributed by way of an commercial block,” Kaspersky researcher Sergey Puzan stated.
“Opening it, an attentive person will instantly discover an amusing inconsistency: the web site handle comprises the road vnote, the title presents a obtain of Notepad‐‐ (an analog of Notepad++, additionally distributed as open-source software program), whereas the picture proudly reveals Notepad++. In truth, the packages downloaded from right here comprise Notepad‐‐.”
The web site, named vnote.fuwenkeji[.]cn, comprises obtain hyperlinks to Home windows, Linux, and macOS variations of the software program, with the hyperlink to the Home windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).
The Linux and macOS variations, however, result in malicious set up packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
Similarly, the faux look-alike web sites for VNote (“vnote[.]information” and “vnotepad[.]com”) result in the identical set of myqcloud[.]com hyperlinks, on this case, additionally pointing to a Home windows installer hosted on the area. That stated, the hyperlinks to the possibly malicious variations of VNote are now not lively.
An evaluation of the modified Notepad– installers reveals that they’re designed to retrieve a next-stage payload from a distant server, a backdoor that reveals similarities with Geacon.
It is able to creating SSH connections, performing file operations, enumerating processes, accessing clipboard content material, executing recordsdata, importing and downloading recordsdata, taking screenshots, and even getting into into sleep mode. Command-and-control (C2) is facilitated by the use of HTTPS protocol.
The event comes as malvertising campaigns have additionally acted as a conduit for different malware resembling FakeBat (aka EugenLoader) malware with the assistance of MSIX installer recordsdata masquerading as Microsoft OneNote, Notion, and Trello.
