Chinese language customers in search of official software program corresponding to Notepad++ and VNote on search engines like google like Baidu are being focused with malicious advertisements and bogus hyperlinks to distribute trojanized variations of the software program and finally deploy Geacon, a Golang-based implementation of Cobalt Strike.
“The malicious website discovered within the notepad++ search is distributed via an commercial block,” Kaspersky researcher Sergey Puzan stated.
“Opening it, an attentive consumer will instantly discover an amusing inconsistency: the web site deal with accommodates the road vnote, the title presents a obtain of Notepad‐‐ (an analog of Notepad++, additionally distributed as open-source software program), whereas the picture proudly exhibits Notepad++. In actual fact, the packages downloaded from right here comprise Notepad‐‐.”
The web site, named vnote.fuwenkeji[.]cn, accommodates obtain hyperlinks to Home windows, Linux, and macOS variations of the software program, with the hyperlink to the Home windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).
The Linux and macOS variations, however, result in malicious set up packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
Similarly, the faux look-alike web sites for VNote (“vnote[.]information” and “vnotepad[.]com”) result in the identical set of myqcloud[.]com hyperlinks, on this case, additionally pointing to a Home windows installer hosted on the area. That stated, the hyperlinks to the possibly malicious variations of VNote are now not lively.
An evaluation of the modified Notepad– installers reveals that they’re designed to retrieve a next-stage payload from a distant server, a backdoor that reveals similarities with Geacon.
It is able to creating SSH connections, performing file operations, enumerating processes, accessing clipboard content material, executing recordsdata, importing and downloading recordsdata, taking screenshots, and even getting into into sleep mode. Command-and-control (C2) is facilitated by the use of HTTPS protocol.
The event comes as malvertising campaigns have additionally acted as a conduit for different malware corresponding to FakeBat (aka EugenLoader) malware with the assistance of MSIX installer recordsdata masquerading as Microsoft OneNote, Notion, and Trello.