Chinese language customers on the lookout for reputable software program akin to Notepad++ and VNote on search engines like google and yahoo like Baidu are being focused with malicious adverts and bogus hyperlinks to distribute trojanized variations of the software program and finally deploy Geacon, a Golang-based implementation of Cobalt Strike.
“The malicious website discovered within the notepad++ search is distributed by an commercial block,” Kaspersky researcher Sergey Puzan mentioned.
“Opening it, an attentive consumer will instantly discover an amusing inconsistency: the web site tackle comprises the road vnote, the title provides a obtain of Notepad‐‐ (an analog of Notepad++, additionally distributed as open-source software program), whereas the picture proudly reveals Notepad++. In reality, the packages downloaded from right here include Notepad‐‐.”
The web site, named vnote.fuwenkeji[.]cn, comprises obtain hyperlinks to Home windows, Linux, and macOS variations of the software program, with the hyperlink to the Home windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).
The Linux and macOS variations, then again, result in malicious set up packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
In a similar way, the faux look-alike web sites for VNote (“vnote[.]information” and “vnotepad[.]com”) result in the identical set of myqcloud[.]com hyperlinks, on this case, additionally pointing to a Home windows installer hosted on the area. That mentioned, the hyperlinks to the doubtless malicious variations of VNote are now not energetic.
An evaluation of the modified Notepad– installers reveals that they’re designed to retrieve a next-stage payload from a distant server, a backdoor that reveals similarities with Geacon.
It is able to creating SSH connections, performing file operations, enumerating processes, accessing clipboard content material, executing recordsdata, importing and downloading recordsdata, taking screenshots, and even getting into into sleep mode. Command-and-control (C2) is facilitated by the use of HTTPS protocol.
The event comes as malvertising campaigns have additionally acted as a conduit for different malware akin to FakeBat (aka EugenLoader) malware with the assistance of MSIX installer recordsdata masquerading as Microsoft OneNote, Notion, and Trello.
