June 28, 2022

TheCyberThrone

Thinking Security ! Always

Poisoned Notepad++ Circulates Strong Pity Malware

Notepad++ Vector Logo - Download Free SVG Icon | Worldvectorlogo

The highly sophisticated hacking group known as Strong Pity is circulating laced Notepad++ installers that infect targets with malware.

The Strong Pity actor group has been around since 2012 and employs the same tactics, namely adding backdoors to legitimate software used by specific users, a technique also known as water holing. The group is also referred to as APT-C-41 and PROMETHIUM.

Advertisements

Strong Pity APT hides its three-stage attack behind a Notepad++ installation. This attack method is highly efficient since the malware ‘hides’ itself inside a legitimate tool that is commonly found within organizations. Accordingly, when downloaded from an unofficial URL, the common tool can be exploited– as in this case.

Initially, the victim downloads a “Notepad++” setup file and executes it. To make the malicious file more trustable to the victim, the threat actor adds an Original Notepad++ icon. When executed, the malicious file creates a new folder named “Windows Data “under C:\ProgramData\Microsoft and drops three different files on the infected station:

  • npp.8.1.7.Installer.x64.exe – the original Notepad++ installation file under C:\Users\Username\AppData\Local\Temp\ folder.
  • winpickr.exe – a malicious file under C:\Windows\System32 folder.
  • ntuis32.exe – malicious keylogger under C:\ProgramData\Microsoft\WindowsData folder.

The first stage executable runs the legitimate Notepad++ installation, whilst the victim is oblivious to the two malicious files being installed in the background.  In the last phase of the setup.exe stage, it runs winpickr.exe with an “update” argument.

Advertisements

In its first execution by setup.exe, winpickr.exe and creates a new service named “PickerSrv” whose purpose is to execute itself at start-up and stay persistent on the endpoint.

A malicious file with such parameters can easily bypass the sandbox, given the fact that it is only creating a service.

When executed as a service (without any parameters), winpickr.exe uncovers its real purpose. Firstly, it immediately executes ntuis32.exe. This malicious file is a simple keylogger that saves users’ keystrokes to a file. The file name follows an inf_loc_ky_%u_v1.0.0_.tbl pattern when %u is a file serial number. These files are created as hidden system files with read-only attributes and saved in the C:\ProgramData\Microsoft\WindowsData folder that was previously created by the first stage setup.exe file. To remain hidden, the keylogger runs in a minimized window. A new mutex called “Local\WinLoginWait” is also created during the execution process.

The keylogger runs at background, winpickr.exe repeatedly checks temporary windows folder for .tbl files. When a file is found containing the attributes of the log files created by ntuis32.exe, it connects to its C&C server for file transfer. After sending the file to the C&C, winpickr.exe deletes the file on the endpoint.

Advertisements

Make sure to source an installer from the project’s website. The software is available on numerous other websites, some of which claim to be the official Notepad++ portals but may include adware or other unwanted software. The URL that was distributing the laced installer has been taken down following its identification by analysts, but the actors could quickly register a new one.

This attack’s pattern is identical to Strong Pity’s usual attack flow. The setup.exe and winpickr.exe code is mostly identical to the code from previous campaigns. 

Indicators of Compromise

Hashes:

  • 18107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622 – npp.8.1.7.Installer.x64.exe – legitimate notepad++ installer
  • 7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c – setup.exe
  • 1380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6 – winpickr.exe
  • ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95 – ntuis32.exe

Domains:

%d bloggers like this: