Notepad++ Fixes Flaw that Let Attackers Push Malicious Update Files
Summary:
Notepad++ recently addressed a security weakness in its update tool (WinGUp) after receiving word of several incidents wherein the updater was manipulated to download and run malicious executables instead of legitimate updates.
The issue stems from the way WinGUp validates the authenticity and integrity of retrieved updates. In the event that an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, the actor could exploit this weakness to prompt the updater to download and execute unwanted binaries.
In their advisory, the maintainers of Notepad++ confirmed that traffic from WinGUp was rerouted to malicious servers, resulting in users unknowingly retrieving and downloading malicious executables on their systems.
It’s unclear how the traffic is being intercepted. According to Security researcher Kevin Beaumont, actors may be hijacking traffic at the ISP level to push malicious updates. However, significant resources are required to conduct such an attack.
Security Officer Comments:
Beaumont attributed the exploitation activity to threat actors in China, after reporting in early December that a handful of organizations using Notepad++ experienced security incidents where the vulnerability was used for initial access.
The attacks seem to be highly targeted, involving organizations with interests in East Asia. Victims have reported hands-on keyboard reconnaissance activity, following successful intrusions.
In a post on the Notepad++ community forum, a user reported that an executable (autoupdater[.]exe) spawned by WinGUp ran various reconnaissance commands and stored the output into a file called 'a.txt.’ Using the curl[.]exe command, this file was further exfiltrated to temp[.]sh, a file and text-sharing website previously used in malware campaigns.
Suggested Corrections:
Notepad++ initially released version 8.8.8 in November, which introduced a security mechanism that prevents the updater from being hijacked. More recently, the maintainers published version 8.8.9. The latest version includes digital signature checks and certificate validation, where the updater will now terminate the update process entirely if the authenticity of the downloaded file cannot be cryptographically verified.
Hunting guide:
https://www.bleepingcomputer.com/ne...at-let-attackers-push-malicious-update-files/
Notepad++ recently addressed a security weakness in its update tool (WinGUp) after receiving word of several incidents wherein the updater was manipulated to download and run malicious executables instead of legitimate updates.
The issue stems from the way WinGUp validates the authenticity and integrity of retrieved updates. In the event that an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, the actor could exploit this weakness to prompt the updater to download and execute unwanted binaries.
In their advisory, the maintainers of Notepad++ confirmed that traffic from WinGUp was rerouted to malicious servers, resulting in users unknowingly retrieving and downloading malicious executables on their systems.
It’s unclear how the traffic is being intercepted. According to Security researcher Kevin Beaumont, actors may be hijacking traffic at the ISP level to push malicious updates. However, significant resources are required to conduct such an attack.
Security Officer Comments:
Beaumont attributed the exploitation activity to threat actors in China, after reporting in early December that a handful of organizations using Notepad++ experienced security incidents where the vulnerability was used for initial access.
The attacks seem to be highly targeted, involving organizations with interests in East Asia. Victims have reported hands-on keyboard reconnaissance activity, following successful intrusions.
In a post on the Notepad++ community forum, a user reported that an executable (autoupdater[.]exe) spawned by WinGUp ran various reconnaissance commands and stored the output into a file called 'a.txt.’ Using the curl[.]exe command, this file was further exfiltrated to temp[.]sh, a file and text-sharing website previously used in malware campaigns.
Suggested Corrections:
Notepad++ initially released version 8.8.8 in November, which introduced a security mechanism that prevents the updater from being hijacked. More recently, the maintainers published version 8.8.9. The latest version includes digital signature checks and certificate validation, where the updater will now terminate the update process entirely if the authenticity of the downloaded file cannot be cryptographically verified.
Hunting guide:
- gup.exe making network requests for other than: notepad-plus-plus.org, github.com and release-assets.githubusercontent.com.
- gup.exe for unusual process subspawns — it should only spawn explorer.exe, and npp* themed Notepad++ installers. For 8.8.8 and 8.8.7 they should have valid digital signatures, and be signed by GlobalSign.
- Files called update.exe or AutoUpdater.exe in user TEMP folder, where gup.exe has written and/or executed the files.
- Use of curl.exe (bundled with Windows 10 and above) to call out to temp.sh for recon activity.
https://www.bleepingcomputer.com/ne...at-let-attackers-push-malicious-update-files/