Strongpity, a hacking group, is widely using malicious Notepad++ installers to target users in Belgium and Italy.
The modus operandi is successful because of its ability to hide the malicious installer in a tool.
- An analyst called Blackorbird identified the malicious installer, and more information on the installer was provided by Minerva Labs—after their analysis.
- The malware can pilfer files and other data
- In a previous attack campaign, attackers targeted users who were interested in Truecrypt and WinRar Software.
- “Once the installer is executed, it creates a folder named Windows Data at C:\ProgramData\Microsoft and drops three files – npp[.]8[.]1[.]7[.]Installer[.]x64[.]exe, winpickr[.]exe, and ntuis32[.]exe.
- The installation of the code editor continues as usual and the victim doesn’t notice anything that raises an alert.
- Moreover, it creates a “PickerSrv” service for malware persistence.
- The PickerSrv service executes another file ntuis32[.]exe (a keylogger component) as an overlapped window.
- The keylogger monitors all keystrokes of the user and saves them to hidden system files at C:\ProgramData\Microsoft\WindowsData. This is constantly checked by the winpickr[.]exe process.
- If a new log file is spotted, the component makes a contact with C2 for uploading the stolen data.
- Once the transfer of data is done, the original log is deleted to remove any traces of malicious actions.”
Cybercriminals have exploited users’ trust in known software. Download the Notepad++ software from the official website.