Hackers are abusing Notepad++, a popular text and source code editor, to deliver malware. The app’s updater, WinGUp, can be tricked by an attacker-in-the-middle to pull compromised executables from malicious servers. Patches are now available.
Security researcher Kevin Beaumont previously reported that at least three organizations in East Asia had been compromised via a common attack vector – Notepad++ installations.
Don Ho, the creator and maintainer of Notepad++, acknowledged the vulnerability and released an updated version of Notepad++.
“According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables,” the Notepad++ advisory reads.
The maintainer identified a weakness in the updater's validation of the integrity and authenticity of downloaded update files.
Attackers, who can intercept network traffic between the updater client and the Notepad++ update server, were likely exploiting this flaw to trick the updater into downloading and running malicious executables, instead of legitimate updates.
Beaumont explained that Notepad++’s updater sends the current app version in use to the update service, which in turn provides an XML file containing a download URL for the update. It is likely that hackers were able to redirect the traffic to a malicious location by changing the URL in the file.
Earlier app versions used self-signed root certificates, and anti-tampering protection might not have been robust enough.
The latest version of Notepad++, v8.8.9, hardens the signature and certificate verification during updates.
“The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established,” Ho said in the advisory.
The maintainer also recommends that users remove previously installed Notepad++ root certificates – the latest app versions use certificates issued by GlobalSign.
According to Beaumont, malicious activity can be identified by checking if gup.exe is making any network requests to domains other than notepad-plus-plus.org or spawning unusual processes.
Unlock Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked