CTI Roundup: A Malicious Notepad++ Plugin, “Junk Gun” Ransomware, and a Google Malvertising Campaign
Researchers discover modified Notepad++ plug-in, new junk gun ransomware appears on cybercrime forums, and a malvertising campaign targets IT teams
In this week’s roundup, CTI looks at a modified version of a default Notepad++ plug-in called mimeTools.dll that is being distributed in the wild. Next CTI investigates a new wave of cheap, independently produced “junk gun” ransomware that deviates from the traditional ransomware-as-a-service (RaaS) model. Finally, CTI breaks down the latest Google malvertising campaign that is pushing typosquat domains mimicking legitimate IP scanner software to the top of search engine results.
1. Researchers discover modified Notepad++ plug-in
Researchers have discovered a modified version of a default Notepad++ plug-in called mimeTools.dll that is being distributed in the wild.
MimeTools.dll is a default plug-in that is included in the package installation file of the Notepad++ package. Because of this, mimeTools.dll loads automatically when the program launches and doesn’t require any additional action from the user. The threat actor likely used the DLL-hijacking technique to execute the malicious modified variant.
An encoded malicious shellcode, along with the code for decrypting it, was added to the malicious version of mimeTools.dll. Within the Notepad++ package, the malicious file in question is called certificate.pem.
ASEC took a closer look at the features of mimeTools.dll in both versions and found the only difference in the code to be the DllEntryPoint.
How threat actors use mimeTools.dll to distribute malware
Because mimeTools.dll is loaded as Notepad++, malicious activity begins immediately.
- The malware uses several indirect syscall techniques at execution to avoid detection by anti-malware products.
- Next, the certificate.pem file is decrypted and executed. The code stored within BingMaps.dll GetBingMapsFactory() function is then overwritten with the malicious shellcode, which results in thread injection to explorer.exe.
- One additional shellcode is then downloaded and executed from the C2 server.
- The string that is used to communicate with the C2 becomes a URL after it is passed through a certain function. To send information to the C2, the information is first encoded in Base64 and is then added to the header.
- Researchers noticed that the C2 was designed to look like a WordPress login page during their analysis. But when the malware was first distributed it appeared like a wiki site.
Analyst comments from Tanium’s Cyber Threat Intelligence team
It’s clear that the threat actor behind this activity is going after Notepad++ because of its popularity.
Since the threat actor is abusing user trust regarding the legitimate Notepad++, and it does not require additional manual interaction from the user, it is exceedingly difficult to prevent.
That said, the threat actor’s use of DLL hijacking presents an opportunity for detection, enabling defenders to help identify this type of attack.
2. New junk gun ransomware appears on cybercrime forums
Sophos has uncovered a wave of junk gun ransomware, which is “independently produced, inexpensive, and crudely constructed.”
According to Sophos, this wave deviates from the traditional ransomware-as-a-service (RaaS) model that has been flooding the threat landscape for quite some time. However, it’s still an attractive offering for cyber criminals who are looking to enter the ransomware landscape.
Junk gun ransomware: An overview
Sophos discovered 19 different junk gun ransomware varieties between June 2023 and February 2024.
Of the 19 samples, many are currently for sale while others are listed as being in development. There are not a lot of details available for each of the identified junk gun ransomware varieties, but at least three of them have supposedly been leveraged in real-world attacks.
Given this information is all posted by cybercriminals, it’s important to remember that there’s a chance some of these strains are simply a scam designed to defraud other cybercriminals.
How much does junk gun ransomware cost?
These junk gun ransomware strains are all relatively cheap compared to standard RaaS offerings.
Of those with pricing listed, the median price was only $375. And only three of these strains offered a subscription model of sorts while the remaining were offered for a single one-time fee, again deviating from the RaaS model.
Junk gun ransomware features
Each strand of junk gun ransomware tends to vary in terms of capabilities. Threat actors use a range of encryption methods, including some rare algorithms like XTEA and Salsa20. Some variants include capabilities outside of traditional ransomware like info stealing and keylogging while other variants focus on ransomware capabilities like the deletion of volume shadow copies and multi-threaded encryption.
Sophos attempted to dig deeper into the developers behind the ransomware and discovered some that are looking to evolve their product offering and essentially grow their business. An example of this is seen with the developer of Loni ransomware which advertises its product as being superior to RaaS offerings and notes that they are looking to scale their infrastructure and build a data leak site once enough funds are available.
Analyst comments from Tanium’s Cyber Threat Intelligence team
Since the junk gun ransomware strains do not have data leak sites, it is difficult for researchers to determine their true use in the wild.
This junk gun-style offering differs greatly from the RaaS model but still accomplishes a similar goal which is lowering the cost of entry. These offerings still enable cybercriminals of varying levels to enter the ransomware scene without needing extensive technical knowledge or access to criminal networks.
This offering may be more attractive to some cybercriminals as there is no profit-sharing aspect as in RaaS offerings. As Sophos sums up, it “allows criminals to get in on the action cheaply, easily, and independently.”
3. New malvertising campaign targets IT teams
The latest Google malvertising campaign is pushing several typosquat domains mimicking legitimate IP scanner software to the top of search engine results.
The campaign seeks to deliver a new backdoor, MadMxShell, which uses DLL sideloading in multiple stages, abuses the DNS protocol for C2 communications, and is capable of evading memory forensics security solutions.
About the campaign
The threat actor behind this campaign has registered several domains that spoof legitimate IP scanner software like Advanced IP Scanner, Angry IP Scanner, PRTG IP Scanner, and Manage Engine.
These domains were all used in March malvertising attacks. The source code of the malicious sites is almost identical to that of the legitimate site, except for an edit that redirects the user to download a malicious file.
The backdoor
Zscaler analyzed a sample called Advanced-ip-scanner.zip which was found to contain two files including an executable that is a renamed copy of the legitimate oleview.exe, and a DLL.
When the executable runs it sideloads the DLL and executes a series of shellcode. In the next stage a legitimately signed Microsoft exe, OneDrive.exe, drops. It is then abused to sideload an additional DLL to establish persistence.
The malware will attempt to disable Windows Defender, configure a scheduled task, and use anti-dumping techniques before performing typical file manipulation.
The malware will also communicate with its C2 by sending and receiving commands that are encoded within DNS MX queries. The malware is configured with three-second intervals between requests which is rather short and therefore much nosier than malware that is using HTTP for C2 communications.
Analyst comments from Tanium’s Cyber Threat Intelligence team
Threat actors are increasingly turning to malvertising to deliver malware to unsuspecting users, underscoring the importance of verifying search engine result links before blindly clicking.
What makes this malvertising campaign different is its use of DNS MX queries for its C2 communication. At first glance this seems like a sophisticated technique, but the interval of only three seconds between requests makes it rather noisy.
This campaign appears to be targeting IT users given the software it is spoofing. However, new malvertising campaigns seem to be popping up regularly and targeting a very wide range of users with various software.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.