Chinese users searching for legitimate software like Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and fake links to distribute Trojanized versions of the software and eventually implement Geacon, a Golang-based implementation of Cobalt Strike.
“The malicious site found in notepad++ search is distributed via an ad blocker,” said Kaspersky researcher Sergey Puzan.
“Opening it, an attentive user will immediately notice an amusing inconsistency: the site address contains the line vnote, the title offers the download of Notepad‐‐ (an analogue of Notepad++, also distributed as open source software), while the image proudly shows Notepad++. In fact the packages downloaded from here contain Notepad‐‐.”
The website, called vnote.fuwenkeji[.]cn, contains download links to the Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad installer (“Notepad–v2.10.0-plugin-Installer. exe”).
Linux and macOS versions, however, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
Similarly, fake VNote lookalike websites (“vnote[.]info” and “vnotepad[.]com”) lead to the same set as myqcloud[.]com, in this case, also point to a Windows installer hosted on the domain. That said, links to potentially malicious versions of VNote are no longer active.
An analysis of the modified Notepad installers reveals that they are designed to fetch a next-stage payload from a remote server, a backdoor that bears similarities to Geacon.
It is capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard contents, executing files, uploading and downloading files, taking screenshots, and even entering sleep mode. Command and control (C2) is facilitated via the HTTPS protocol.
The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (also known as EugenLoader) with the help of MSIX installation files disguised as Microsoft OneNote, Notion and Trello.