Site icon GIXtools

What’s in your notepad? Infected text editors target Chinese users

Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)

“Malvertising” is a popular way of attracting victims to malicious sites: an advertisement block is placed at the top of the search results, increasing the likelihood of users clicking the link. Sites at the top of search results also tend to be more trusted by users. A year ago, our experts discussed a malvertising campaign that spread the RedLine stealer via Google Ads. Using typosquatting and other techniques, the attackers tried to make their resources look as similar as possible to the official websites of popular programs.

This time, a similar threat has affected users of one of the most popular search engines in the Chinese internet. We’ve discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results. We have not yet been able to establish all the details of the threat, so this material may be updated later.

Malicious sites in search results

The screenshots below show two searches which the search engine responds to with malicious links:

Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)

The malicious site found in the notepad++ search is distributed through an advertisement block. Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.

Page with fake NotePad++

Page with fake NotePad++

This site offers installers for three popular platforms (Windows, Linux, macOS); however, there are only two malicious links here, leading to download pages for the macOS and Linux versions. The link to the Windows version leads to the official repository and is not malicious:

Application download links, linked to buttons on the malicious Notepad-- download page

Application download links, linked to buttons on the malicious Notepad‐‐ download page

The screenshot shows that the source of the malicious installation packages is the resource vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com.

Meanwhile, the second page, found in the vnote search, tries to imitate the official website of the program:

Fake (above) and the original (below) VNote site

Fake (above) and the original (below) VNote site

Unfortunately, at the time of this investigation, the links to the potentially malicious versions of VNote were no longer functioning; however, they led to the same resource as the Notepad‐‐ links:

Application download links, linked to buttons on the fake VNote site

Application download links, linked to buttons on the fake VNote site

Text editor with malicious payload

Since we have samples of the fake Notepad‐‐ for Linux and macOS, we can take a closer look at them.

The downloaded applications have several differences from the original versions, and the malicious Linux and macOS versions are similar in functionality. Next, we will examine the macOS version (MD5: 00fb77b83b8ab13461ea9dd27073f54f). It is a disk image in DMG format, whose contents are identical to the original (version 2.0.0), except for the executable file itself, named NotePad‐‐ (MD5: 6ace1e014863eee67ab1d2d17a33d146).

Studying the contents of its main function, we discovered that just before the application is launched, the suspicious class Uplocal is initialized, which is absent in the source code of the original Notepad‐‐:

Modified section of code before application launch

Modified section of code before application launch

This class implements only one method named run. Its purpose is to download a file to the path /tmp/updater and execute it:

Payload of the run method of the Uplocal class

Payload of the run method of the Uplocal class

The file is downloaded from the address hxxp://update[.]transferusee[.]com/onl/mac/, where is the MD5 hash of the device’s serial number obtained in the GetComputerUUID function by executing the following bash command:

ioreg -rd1 -c IOPlatformExpertDevice |  awk '/IOPlatformSerialNumber/ { print $3; }'

The Linux version differs slightly:

  • The file is downloaded from the same address, but is located in the directory /onl/lnx/: hxxp://update[.]transferusee[.]com/onl/lnx/
  • is the MD5 hash of the device’s MAC address:
    Obtaining and hashing the device's MAC address

    Obtaining and hashing the device’s MAC address

  • Unfortunately, at the time of our investigation, the downloaded file was no longer available on the server, and we couldn’t determine what was supposed to be there.

    However, we know for sure that this server has another subdomain, dns[.]transferusee[.]com, and it is accessed by a Mach-O file named DPysMac64 (MD5: 43447f4c2499b1ad258371adff4f503f), previously uploaded to VT and not detected by any vendor at the time of the investigation:

    DPysMac64 file page on VT

    DPysMac64 file page on VT

    Moreover, this file is stored on the same server from which the mysterious updater was supposed to be downloaded:

    Loading DPysMac64 from update[.]transferusee[.]com

    Loading DPysMac64 from update[.]transferusee[.]com

    From this, we can fairly confidently assume that the updater is an intermediate step that should ultimately lead to loading DPysMac64. The server also contains a file called DPysMacM1, the name of which implies that it is built for systems running on Apple Silicon processors; however, in reality, it is the same file as DPysMac64.

    The application is a backdoor, very similar to the so-called Geacon – an open-source implementation of the CobaltStrike agent written in Go. Although the attackers removed any direct mention of Geacon from their project, we found a large number of lines, names, and code fragments of functions and modules matching implementations of geacon_plus, geacon_pro, and BeaconTool. For example, they have almost completely identical sysinfo modules, functions FirstBlood, EncryptedMetaInfo, PullCommand, and so on:

    Comparison of the list of functions of the sysinfo module of DPysMac64 (left) and an instance of geacon_pro (right)

    Comparison of the list of functions of the sysinfo module of DPysMac64 (left) and an instance of geacon_pro (right)

    The backdoor has two launch options – normal and as a service. Communication with the C2 server dns[.]transferusee[.]com is carried out via HTTPS protocol. Interestingly, the attackers named the project which implements the functionality of executing remote commands spacex:

    The name of the backdoor module contained in the lines of the DPysMac64 file

    The name of the backdoor module contained in the lines of the DPysMac64 file

    The backdoor contains the following list of commands:

    Code
    Name
    Purpose

    25
    CmdSSH
    Creating an SSH connection

    27
    Spawn
    Launching a new agent

    32
    CmdExit
    Shutdown

    34
    SetSleep
    Entering sleep mode

    1010
    Screenshot
    Taking a screenshot

    1020
    ProcessList
    Getting a list of processes

    1021
    ProcessKill
    Terminating a process

    1030
    PortScan
    Scanning ports

    1031
    Install
    Adding itself to the list of services

    1032
    UnInstall
    Removing itself from the list of services

    1040
    CmdHashdump
    Getting the computer name

    1044
    CmdClipboard
    Reading clipboard content

    1050
    FileBrowse
    Getting a list of files in a directory

    1051
    FileDrives
    Getting a list of drives

    1052
    FileMakeDir
    Creating a directory

    1056
    FileUpload
    Uploading a file to the server

    1057
    FileExecute
    Executing a file

    1060
    FileDownload
    Downloading a file from the server

    Connection between infected applications

    While we cannot be certain about the files previously downloaded from vnote[.]info, we have discovered that the sources distributing applications on both sites are the same. It’s also worth mentioning another interesting detail that we found completely by chance during the examination of the modified NotePad‐‐. In the lines of the executable file, we found text resembling an About window, but instead of a link to the official project website, it contained a link to the suspicious resource vnotepad[.]com. Below is a screenshot of the About window in the program’s user interface:

    About window of modified Notepad--

    About window of modified Notepad‐‐

    The link in the About window led us to a stub page:

    We found it strange, so we tried to switch from HTTP to HTTPS, which made it possible to discover that this site is another copy of the VNote site, similar to the one we saw on vnote[.]info. Furthermore, when opening this site, the browser warned us that the certificate it was using was invalid because it was issued for vnote[.]info:

    Certificate used by the site vnotepad[.]com

    Certificate used by the site vnotepad[.]com

    This indicates a definite connection between the two cases described, as well as the high probability that the purpose of the modified VNote editors is similar to that of NotePad‐‐, and involves delivering the next stage of infection.

    Conclusion

    We’re continuing to study the threat described above and are searching for intermediate stages that have not yet been discovered. In addition, we’ve established that the changes in the Linux and macOS applications are identical, suggesting the possibility of a backdoor for Linux that is similar to the one we found for macOS.

    Indicators of compromise

    Files:

    MD5
    File type
    File name

    43447f4c2499b1ad258371adff4f503f
    Mach-O 64-bit
    DPysMac64

    00fb77b83b8ab13461ea9dd27073f54f
    DMG
    Notepad‐‐v2.0.0-mac_x64_12.3.dmg

    5ece6281d57f16d6ae773a16f83568db
    AppImage
    Notepad‐‐-x86_64.AppImage

    6ace1e014863eee67ab1d2d17a33d146
    Mach-O 64-bit
    NotePad‐‐

    47c9fec1a949e160937dd9f9457ec689
    ELF 64-bit
    NotePad‐‐

    Links:

    dns[.]transferusee[.]com

    update[.]transferusee[.]com/onl/mac/

    update[.]transferusee[.]com/onl/lnx/

    update[.]transferusee[.]com/DPysMac64

    update[.]transferusee[.]com/DPysMacM1

    vnote[.]info

    vnote[.]fuwenkeji[.]cn

    vnotepad[.]com

    vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com

    Source:: Securelist

    Exit mobile version