Stealthy Proxyware Malware Masquerades as Notepad++ to Exploit Windows Systems
A sophisticated cyberattack has been identified, wherein malicious proxyware is camouflaged as legitimate Notepad++ installations. This campaign, orchestrated by the threat actor known as Larva-25012, specifically targets users seeking cracked software through deceptive advertisements and counterfeit download portals.
Understanding Proxyjacking
Proxyjacking is a cyberattack method where an individual’s internet bandwidth is hijacked without their consent. Unlike cryptojacking, which exploits computing power to mine cryptocurrencies, proxyjacking monetizes network bandwidth by redirecting it to external parties. This unauthorized use can lead to degraded network performance and potential legal implications for the unsuspecting victim.
Distribution Tactics
The primary distribution of this malware has been observed in South Korea. Attackers employ websites that mimic legitimate download portals for pirated software. These sites host malicious files on GitHub repositories, delivering them as MSI installers or ZIP archives. These packages contain both genuine Notepad++ components and concealed malware, making detection challenging.
Infection Mechanism
Upon execution, the malware establishes persistence within the system by creating entries in the Windows Task Scheduler. It then deploys proxyware programs such as Infatica and DigitalPulse, which operate silently in the background, redirecting the victim’s bandwidth to generate revenue for the attackers.
Evasion Techniques
Analysts from ASEC have noted the evolution of the attacker’s tactics to avoid detection. The threat actor has transitioned from using .NET-based malware to C++ and Python variants. They employ advanced injection techniques targeting the Windows Explorer process, demonstrating a concerted effort to bypass security solutions and maintain control over compromised systems.
Detailed Infection Chain
The infection process begins when users download what appears to be a Notepad++ installer from fraudulent websites. However, these packages contain malicious DLL files executed through DLL side-loading techniques. The malware then injects shellcode into legitimate Windows processes, deploys PowerShell scripts to install additional components like NodeJS or Python, and creates multiple obfuscated loader files. These loaders communicate with command-and-control servers, retrieve instructions, and install proxyware modules that exploit the victim’s network connections.
Persistence Strategies
The malware employs two primary distribution variants: Setup.msi and Setup.zip.
– Setup.msi Variant: This variant installs a C++-based DLL that registers itself in the Windows Task Scheduler under the name Notepad Update Scheduler and launches via Rundll32.exe. The DLL injects shellcode into AggregatorHost.exe, which generates a PowerShell script to install NodeJS and create obfuscated JavaScript malware files known as DPLoader. To maintain stealth, the script modifies Windows Defender policies by adding exclusion paths, disabling security notifications, and preventing malware sample submissions.
– Setup.zip Variant: This variant contains both Setup.exe and a malicious loader named TextShaping.dll. When users launch the installer, DLL side-loading automatically executes the malware. TextShaping.dll decrypts embedded shellcode that deploys a dropper directly in memory. This dropper installs Python from official sources, creates a Python-based DPLoader variant, and registers a VBS launcher in the Task Scheduler to ensure persistent execution. The malware ultimately injects the final payload into explorer.exe, where DigitalPulse proxyware runs as an obfuscated Go-based program.
Implications and Recommendations
This campaign underscores the increasing sophistication of cyber threats and the importance of vigilance when downloading software. Users are advised to download applications only from official and reputable sources. Regularly updating security software and conducting system scans can help detect and mitigate such threats. Organizations should educate employees about the risks associated with downloading software from untrusted sources and implement security measures to prevent unauthorized software installations.
