Notepad++ Update Servers Compromised: A Deep Dive into the Chrysalis Backdoor Attack
In a sophisticated cyber-espionage campaign, the Chinese Advanced Persistent Threat (APT) group known as Lotus Blossom, or Billbug, has compromised the infrastructure of the widely-used text editor Notepad++. This breach facilitated the distribution of a custom backdoor named Chrysalis, targeting sectors such as government, telecommunications, aviation, and critical infrastructure across Southeast Asia and Central America.
Discovery and Initial Indicators
The intrusion came to light when security researchers observed the execution of a suspicious file named `update.exe`, downloaded from the IP address 95.179.213.0. This event followed the legitimate execution of `notepad++.exe` and its updater component, `GUP.exe`. Further forensic analysis revealed that `update.exe` was an NSIS installer—a tool frequently exploited by Chinese APT groups for initial payload delivery.
Attack Chain and Payload Deployment
Upon execution, the NSIS installer created a hidden directory within the `%AppData%` folder, labeled Bluetooth. Within this directory, several files were deposited, including `BluetoothService.exe` and `log.dll`. Notably, `BluetoothService.exe` was a renamed legitimate Bitdefender Submission Wizard binary. The attackers leveraged this legitimate executable to perform DLL sideloading, compelling it to load the malicious `log.dll` instead of its genuine counterpart.
The Chrysalis Backdoor: Features and Evasion Techniques
Once loaded, `log.dll` decrypted and executed a shellcode payload known as the Chrysalis backdoor. This sophisticated implant is designed for long-term persistence and exhibits several advanced evasion techniques:
– Custom Encryption: Chrysalis employs a linear congruential generator for decryption, avoiding standard cryptographic APIs and thereby evading detection by automated tools.
– API Hashing: The malware resolves necessary Windows APIs using a custom hashing algorithm, combining FNV-1a with a MurmurHash-style finalizer, complicating static analysis and antivirus detection.
– Command and Control (C2) Communication: The backdoor communicates with its C2 server (`api.skycloudcenter.com`) over HTTPS. The URL structure mimics Deepseek API endpoints (e.g., `/a/chat/s/{GUID}`), likely to blend with legitimate AI-related network traffic.
Chrysalis supports 16 different commands, including:
– Interactive Shell: Initiates a fully interactive reverse shell via `cmd.exe`.
– File Operations: Performs reading, writing, deleting files, and enumerating directory contents.
– Process Execution: Launches remote processes.
– Self-Removal: Executes a cleanup mode to remove persistence artifacts and delete the malware from the disk.
Advanced Loading Mechanism: Microsoft Warbird Exploitation
Researchers also identified a loader variant (`ConsoleApplication2.exe`) that utilizes Microsoft Warbird, a complex code protection framework, to obscure its execution flow. This loader exploits the `NtQuerySystemInformation` system call with the undocumented `SystemCodeFlowTransition` (0xB9) class. By copying encrypted data into the memory of a Microsoft-signed binary (`clipc.dll`) and invoking this specific system call, the loader triggers the Warbird mechanism to decrypt and execute the shellcode in the kernel context. This technique effectively bypasses user-mode hooks and standard Endpoint Detection and Response (EDR) monitoring, marking a significant evolution in Billbug’s tradecraft.
Attribution to Lotus Blossom
The campaign is attributed to Lotus Blossom with moderate confidence, based on the specific use of the Bitdefender sideloading technique and shared cryptographic keys found in the Cobalt Strike beacons deployed alongside Chrysalis. This incident underscores the persistent and evolving threats posed by state-sponsored actors targeting widely-used software to infiltrate critical sectors.
