Recently, the group of researchers from AhnLab Security Intelligence Center (ASEC) have discovered a new malware campaign (WikiLoader) that affects the popular text editor Notepad++. The attackers took pains to disguise the file with the malicious payload so that it looked like one from the application's installation package.
The technique used is the well-known “DLL hijacking ” and specifically affects the default plugin “mimeTools.dll” (used to perform Base64 encoding and other tasks). This module is loaded automatically when the program is started, so the attackers took advantage of this fact to modify it and activate the malware.
Attack flow
First, the attackers added malicious shellcode disguised as a harmless certificate, “Certificate.pem,” to the installation package. These modified one of the functions of mimeTools.dll called “DllEntryPoint.dll”, thus allowing the disguised file to be loaded, decrypted and executed. In the following image you can see the file comparison between the official and malicious installation packages:
The malicious shellcode modifies the “BingMaps.dll” file, more specifically the code of the “GetBingMapsFactory()” function is overwritten by it. At this point an execution flow is created that allows the attacker to inject an execution thread into the application “explorer.exe”, this guarantees the persistence of the attack and makes it more difficult to detect.
When the malware is executed, it connects to a Command and Control (C2) where it sends data collected from the machine (Machine name, user name, if the user is a member of the administrators group, language and system time). After connecting to C2 (posing as a Wordpress login page), a payload is downloaded and turns out to be empty.
Conclusion
The group of attackers have the objective of establishing an access point on the victim machine, and they do so by taking advantage of a tool widely used by users such as Notepad++. WikiLoader poses a significant privacy risk, as it collects information about the infected system and at Zerolynx we recommend following some guidelines to keep your systems safe:
• Always download applications from official and reliable sources.
• Regularly update applications and systems with their latest version that contains patches.
*All photos are obtained from the official ASEC website, access the following link if you want to know more about this vulnerability.
Javier Muñoz , Cybersecurity Analyst at Zerolynx .
