Strongpity, a hacking group, is widely using malicious Notepad++ installers to target users in Belgium and Italy.

The modus operandi is successful because of its ability to hide the malicious installer in a tool.

  • An analyst called Blackorbird identified the malicious installer, and more information on the installer was provided by Minerva Labs—after their analysis.
  • The malware can pilfer files and other data 
  • In a previous attack campaign, attackers targeted users who were interested in Truecrypt and WinRar Software.

Read more,

Modus operandi

  • “Once the installer is executed, it creates a folder named Windows Data at C:\ProgramData\Microsoft and drops three files – npp[.]8[.]1[.]7[.]Installer[.]x64[.]exe, winpickr[.]exe, and ntuis32[.]exe.
  • The installation of the code editor continues as usual and the victim doesn’t notice anything that raises an alert.
  • Moreover, it creates a “PickerSrv” service for malware persistence.
  • The PickerSrv service executes another file ntuis32[.]exe (a keylogger component) as an overlapped window.
  • The keylogger monitors all keystrokes of the user and saves them to hidden system files at C:\ProgramData\Microsoft\WindowsData. This is constantly checked by the winpickr[.]exe process.
  • If a new log file is spotted, the component makes a contact with C2 for uploading the stolen data.
  • Once the transfer of data is done, the original log is deleted to remove any traces of malicious actions.”

Cybercriminals have exploited users’ trust in known software. Download the Notepad++ software from the official website.