AhnLab SEcurity intelligence Center (ASEC) recently confirmed that “mimeTools.dll,” a basic plugin for Notepad++, had been altered and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and disguised as a normal package file. mimeTools is a module that performs encoding functions such as Base64, as shown in the image below, and is included by default without the user having to add it separately.
As mimeTools.dll is the basic plugin for notepad++, it is automatically loaded when you run notepad++. It is confirmed that the attacker exploited this point and used a type of DLL hijacking technique. In other words, even though the user simply runs notepad++.exe, mimeTools.dll is automatically loaded and the malicious code runs.
The attacker added the encrypted malicious shell code and the code to decrypt and execute it to mimeTools.dll. The image below compares the files included in the normal notepad++ package and the malicious package. As we will see later, the certificate.pem file is the file that contains malicious shell code.
In addition, the functions (Export) provided by mimeTools.dll are implemented as is, and only DllEntryPoint has a different code. In other words, the malicious mimeTools.dll begins its malicious actions the moment the DLL is loaded even if the user does not execute a specific function.
The malware has an execution flow as shown in the diagram below.
- The malicious activity begins when the user runs notepad++ and mimeTools.dll is loaded.
- Decrypt the certificate.pem file in mimeTools.dll with ShellCode and run it.
- Afterwards, the code inside the BingMaps.dll->GetBingMapsFactory() function is overwritten with a malicious ShellCode.
- The overwritten ShellCode performs Thread Injection into explorer.exe again.
- Finally, additional ShellCode is downloaded and executed from the C2 server.
0. Indirect Syscall
The malware used multiple indirect syscall techniques at the time of execution. This is a technique to bypass anti-virus products, and was previously covered on the ASEC blog [1] .
As shown in the picture above, the jmp statement is used to branch to the syscall. The jmp statement points exactly to the syscall part and directly sets the argument values needed to call the syscall. Using this method, it hooks ntdll and bypasses anti-virus products that are monitoring the native API.
1. ShellCode decryption & execution
The decrypted ShellCode is created in the notepad++ process area when it is first executed. There is a time delay logic of about 10 minutes in this area, which can be easily bypassed by modifying the RCX value and will not be discussed separately in this article.
Binary in the certificate.pem file is converted to ShellCode using two modules, Crypt32.dll and BCrypt.dll.
1. Base64 Decoding
2. AES Decrypt (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ)
Afterwards, execution permission is granted to the area where the ShellCode was created, and the execution flow is switched through the jmp statement.
2. BingMaps.dll tampering
Modify the EntryPoint of BingMaps.dll and overwrite the internal code of the Export function GetBingMapsFactory() with ShellCode.
Afterwards, the execution flow switches to BingMaps.dll->GetBingMapsFactory() in the following order.
1. NtCreateThreadEx()
2. NtGetContextThread()
3. NtSetContextThread() : Set RIP
4. ResumeThread()
After creating a Thread, use NtGetContextThread() to get the register value of the Thread and set the RIP register to GetBingMapsFactory (area overwritten with ShellCode).
3. Modified GetBingMapsFactory()
The GetBingMapsFactory() function in BingMaps.dll was overwritten with ShellCode in the previous process. In this function, which starts as a new Thread, there is a process to recognize the analysis environment such as VM and terminate the process, and it plays the role of inserting a Thread into explorer.exe.
The code generates a simple Hash value by performing SHIFT and XOR operations on the names of all processes running at runtime, one letter at a time. The generated Hash value is used to check whether a specific process exists, and if the Hash matches, it terminates without performing any additional malicious actions. The confirmed list of process names subject to termination is as follows.
- VGAuthService.exe
- vmtoolsd.exe
- ProcessHacker.exe
- x64dbg.exe
- PE-bear.exe
- CFFExplorer.exe
- Autoruns.exe
- procexp.exe
- procexp64.exe
- Procmon.exe
- Procmon64.exe
- tcpview.exe
- Dbgview.exe
- portmon.exe
When the “explorer.exe” process is encountered, additional information (PID) required for subsequent malicious actions is collected and stored. The saved PID of explorer is later used to create additional ShellCode in explorer.exe, and the order is as follows.
1. NtAllocateVirtualMemory(): Allocate space inside explorer.exe
2. NtWriteVirtualMemory(): Insert ShellCode into the space
3. NtCreateThreadEx(): Execute the inserted ShellCode as a Thread.
From then on, the malicious code is executed in the memory space of explorer.exe.
4. Explorer.exe (Injected)
From here, the malicious activity begins in earnest. Connect to C2, download additional ShellCode, and run it.
The string used in the process of communicating with C2 is converted into a URL through a specific function. The C2 URL string can be obtained through a very simple process of concatenating only odd-numbered characters. Collected C2 can be found in the IoC tab below this post.
This is added to the header before sending a Get Request to C2. Information collected from the user’s PC is Base64 encoded and delivered to the attacker. The information collected at this time is as follows.
- Computer Name
- User Name
- Whether the current user is a member of the Administrator’s group
- Language
- System Time
After C2 communication, the process of finding the offset of a specific string (“on><!–gmail “) in the response was additionally confirmed. Decode the additional ShellCode from the corresponding Offset and jmp it to the corresponding ShellCode. Currently, access to the C2 URL is possible, but the additional ShellCode in the corresponding Offset is empty.
The accessed C2 was identified as the WordPress login page at the time of analysis. When the malware was first distributed, C2 was identified as a Wiki site and was given the name “WikiLoader.”
This time, we looked at a case where malicious code was inserted into Notepad++, which is loved by users for its diverse language support and powerful plugin functions. As such, the habit of downloading software from official distribution sites is very important, and special caution is required when using cracked versions or other software from unknown sources.
File diagnosis
- – Trojan/Win.WikiLoader.C5594131
- – Trojan/Win.WikiLoader.R642896
- – Trojan/Bin.ShellCode
[MD5]
- – c4ac3b4ce7aa4ca1234d2d3787323de2 : package file(npp.8.6.3.portable.x64.zip)
- – 6136ce65b22f59b9f8e564863820720b : mimeTools.dll
- – fe4237ab7847f3c235406b9ac90ca8 45: certificate.pem
- – d29f25c4b162f6a19d4c6b96a540648c: package file(npp.8.6.4.portable.x64.zip )
- – 8b7a358005eff6c44d66e44f5b266d33 : mimeTools.dll
- – d5ea5ad8678f362bac86875cad47ba21 : certificate.pem
[C&C]
- – hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1
- – hxxps://pro** ********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1
- – hxxps://www.era********.eu/wp-content/themes /twentytwentyfour/dqyzqp.php?id=1
- – hxxps://www.mar**********.it/wp-content/themes/twentytwentyfour/c2hitq.php?id=1
- – hxxps:/ /osa*******.com/wp-content/themes/twentytwentythree/ovqugo.php?id=1 – hxxps :
- //www.ala************.com/ wp-content/themes/twentytwentyfour/34uo7s.php?id=1
- – hxxps://13*******.org/wp-content/themes/twentytwentythree/t51kkf.php?id=1
- – hxxps:/ /alt**************.com/wp-content/themes/twentytwentyfour/c9wfar.php?id=1
- – hxxps://www.am*******. com/wp-content/themes/twentyten/b9un4f.php?id=1
- – hxxps://lu*******************.com/wp-content/themes /twentytwentytwo/pam8oa.php?id=1
- – hxxps://www.yu*******.de/wp-content/themes/twentytwentytwo/n2gd2t.php?id=1