“Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader)

Malware Analysis
1

AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. As shown in the image below, mimeTools is a module for conducting Base64 encoding and other tasks. It is included by default and does not require the user to add it manually.

Because mimeTools.dll is a default plug-in of Notepad++, it is automatically loaded when the program is launched. The threat actor took advantage of this fact and probably used a type of DLL-hijacking technique. That is, upon running Notepad++.exe, mimeTools.dll is automatically loaded as well, triggering the malware.

Figure 1. mimeTools, a Notepad++ plug-in

The threat actor added an encoded malicious shellcode and the code to decrypt and execute this shellcode in mimeTools.dll. The following image is a comparison of the files in the normal Notepad++ package and the malicious package. Out of these, certificate.pem is the file containing the malicious shellcode.

Figure 2. A comparison of files within the official and malicious packages

Also, the features provided by mimeTools.dll (Export) are present, with only the code for the DllEntryPoint being different. This means that the malicious mimeTools.dll begins its malicious behaviors as soon as the DLL is loaded, even if the user does not execute a function in particular.

Figure 3. A comparison of EntryPoint of the legitimate and malicious mimeTools.dll

The malware strain in question has the execution flow shown in the following diagram.

  1. Malicious behaviors begin as soon as the user launches Notepad++ since mimeTools.dll is simultaneously loaded.
  2. In mimeTools.dll, the file certificate.pem is decrypted to shellcode and executed.
  3. Then, the code within the BingMaps.dll->GetBingMapsFactory() function is overwritten with the malicious shellcode.
  4. The shellcode being overwritten in turn performs thread injection into explorer.exe.
  5. Ultimately, an additional shellcode is downloaded and executed from the C2 server.
Figure 4. Malware flow diagram

0. Indirect Syscall

This malware strain used multiple indirect syscall techniques at the point of execution. These are techniques for evading anti-malware products and have also been covered in a previous ASEC Blog post. [1]

Figure 5. Indirect syscall

As shown in the above image, the code branches to syscall using the jmp statement. The jmp statement points directly to the syscall part and sets the argument value needed to call this syscall itself. Using this method, it hooks ntdll and bypasses anti-malware products monitoring the Native API.

1. Shellcode Decryption & Execution

The decrypted shellcode is created in the process area of Notepad++ executed in the beginning. The area contains a logic for about 10 minutes of delay time. This can be bypassed easily by modifying the RCX value, and the method will not be covered in this post.

Figure 6. Decryption process of the certificate.pem file
Figure 7. Decrypted shellcode

The binary included in the certificate.pem file uses the two modules (Crypt32.dll and BCrypt.dll) to transform into a shellcode.

1. Base64 Decoding
2. AES Decrypt (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ)

Figure 8. Execution flow switching to shellcode

Then, execution privilege is given to the area where the shellcode is created, after which a jmp statement is used to convert the execution flow.

2. BingMaps.dll Modification

The EntryPoint of BingMaps.dll is modified, and the code within the export function GetBingMapsFactory() is overwritten with a shellcode.

Figure 9. BingMaps.dll->EntryPoint modification
Figure 10. BingMaps.dll->GetBingMapsFactory() modification

Then the execution flow of BingMaps.dll->GetBingMapsFactory() switches to the following order.

1. NtCreateThreadEx()
2. NtGetContextThread()
3. NtSetContextThread(): Set RIP
4. ResumeThread()

After creating a thread, NtGetContextThread() is used to get the register value of the thread in question, and the RIP register is set to GetBingMapsFactory (area overwritten with the shellcode).

Figure 11. Setting the modified GetBingMapsFactory() with RIP

3. Modified GetBingMapsFactory()

The GetBingMapsFactory() function in BingMaps.dll was overwritten with a shellcode in the previous step. The function that began with a new thread has a process for checking analysis environments such as VM to terminate the process. It is also responsible for injecting a thread into explorer.exe.

Figure 12. Hash match based on the process name

The code in question performs a SHIFT and XOR calculation on each letter of all running processes to create a simple hash value. The created hash value is used to check for the presence of certain processes. If the hash matches, it terminates without performing any malicious behaviors. Below is the list of confirmed process names that cause the thread to terminate when present.

  • VGAuthService.exe
  • vmtoolsd.exe
  • ProcessHacker.exe
  • x64dbg.exe
  • PE-bear.exe
  • CFF Explorer.exe
  • Autoruns.exe
  • procexp.exe
  • procexp64.exe
  • Procmon.exe
  • Procmon64.exe
  • tcpview.exe
  • Dbgview.exe
  • portmon.exe

When it runs into the “explorer.exe” process, it additionally collects and stores information needed for future malicious behaviors (PID). The stored PID of explorer is used in the future to create additional shellcode in explorer.exe, and the order is as follows.

1. NtAllocateVirtualMemory(): Assigns space within explorer.exe
2. NtWriteVirtualMemory(): Injects shellcode in the above space
3. NtCreateThreadEx(): Executes the injected shellcode with a thread

Afterward, the malware is run in the memory area of explorer.exe.

Figure 13. Shellcode injected into explorer.exe

4. Explorer.exe (Injected)

The actual malicious behaviors begin from this point onward. The malware connects to the C2, then downloads and executes an additional shellcode.

Figure 14. C2 string before rebuilding

The string used in the process of communicating with the C2 becomes a URL after being passed through a certain function. The C2 URL string can be obtained through the very simple process of connecting only odd-numbered characters. The obtained C2 URLs are listed in the IoC section at the bottom of this post.

Figure 15. Adding system information to Request Header

Before sending Get Request to the C2, the information collected from the user PC is encoded in Base64, added to the header, and sent to the threat actor. The collected information includes the following.

  • Computer Name
  • User Name
  • Whether the current user is a member of the Administrator’s group
  • Language
  • System Time
Figure 16. Extracting the shellcode from response

A process of searching for the offset of a certain string (“on><!–gmail “) in response after C2 communication was additionally identified. Additional shellcode is decrypted from this offset and the code performs a jmp process to the shellcode. While the C2 URL is currently available for access, the additional shellcode in the offset is empty.

Figure 17. C2 appearance and internal code

The C2 being accessed was designed to look like the WordPress login page at the time of analysis. When the malware strain was first being distributed, the C2 had the appearance of a Wiki website and was named “WikiLoader”.

So far we have examined a case where a malware strain was embedded in Notepad++, a program beloved by many users due to its wide range of language support and powerful plugin features. It is important to always download software from official websites and practice particular caution when using cracked versions or other software from unknown sources.

File Detection
– Trojan/Win.WikiLoader.C5594131
– Trojan/Win.WikiLoader.R642896
– Trojan/Bin.ShellCode

IoC

[MD5s]
– c4ac3b4ce7aa4ca1234d2d3787323de2: package file (npp.8.6.3.portable.x64.zip)
– 6136ce65b22f59b9f8e564863820720b: mimeTools.dll
– fe4237ab7847f3c235406b9ac90ca845: certificate.pem
– d29f25c4b162f6a19d4c6b96a540648c: package file (npp.8.6.4.portable.x64.zip)
– 8b7a358005eff6c44d66e44f5b266d33: mimeTools.dll
– d5ea5ad8678f362bac86875cad47ba21: certificate.pem

[C&C]
– hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1
– hxxps://pro**********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1
– hxxps://www.era********.eu/wp-content/themes/twentytwentyfour/dqyzqp.php?id=1
– hxxps://www.mar**********.it/wp-content/themes/twentytwentyfour/c2hitq.php?id=1
– hxxps://osa*******.com/wp-content/themes/twentytwentythree/ovqugo.php?id=1
– hxxps://www.ala************.com/wp-content/themes/twentytwentyfour/34uo7s.php?id=1
– hxxps://13*******.org/wp-content/themes/twentytwentythree/t51kkf.php?id=1
– hxxps://alt**************.com/wp-content/themes/twentytwentyfour/c9wfar.php?id=1
– hxxps://www.am*******.com/wp-content/themes/twentyten/b9un4f.php?id=1
– hxxps://lu*******************.com/wp-content/themes/twentytwentytwo/pam8oa.php?id=1
– hxxps://www.yu*******.de/wp-content/themes/twentytwentytwo/n2gd2t.php?id=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IoC and detailed analysis information.

The post “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) appeared first on ASEC BLOG.

Article Link: "Totally Unexpected" Package Malware Using Modified Notepad++ Plug-in (WikiLoader) - ASEC BLOG