Chinese users looking for legitimate software like Notepad++ and VNote on search engines like Baidu are being targeted by malvertising and fake links that distribute Trojanized versions of the software and ultimately deploy Geacon, a Golang-based Cobalt Strike implementation. .
Kaspersky researcher Sergey Puzan said: “The malicious websites found in notepad++ searches are distributed via advertising blocks.”
“Opening it, attentive users will immediately notice an interesting inconsistency: the website address contains a vnote line, the title offers a download of Notepad‐‐ (an analogue of Notepad++, also distributed as open source software), and the image proudly displays Notepad++. In fact, Notepad is included in the package downloaded from here.”
The website is called vnote.fuwenkeji[.]cn, contains download links for the Windows, Linux, and macOS versions of the software, with the Windows variant linking to the official Gitee repository containing the Notepad–installer (“Notepad–v2.10.0-plugin-Installer.exe” ).
On the other hand, the Linux and macOS versions lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
In a similar manner, VNote’s fake website (“vnote[.]Messages” and “vnotepad[.]com”) results in the same group myqcloud[.]com link, in this case, also points to the Windows installer hosted on the domain. In other words, links to potentially malicious versions of VNote are no longer valid.
Analysis of the modified Notepad installers revealed that they are designed to retrieve next-stage payloads from remote servers, a backdoor similar to Geacon.
It can create SSH connections, perform file operations, enumerate processes, access clipboard contents, execute files, upload and download files, take screenshots, and even enter sleep mode. Facilitates command and control (C2) via the HTTPS protocol.
At the same time, malvertising campaigns also used MSIX installer files disguised as Microsoft OneNote, Notion, and Trello to spread other malware, such as FakeBat (also known as EugenLoader) malware.
