Last Updated on 10/12/2021 by Nidhi Khandelwal
StrongPity, a sophisticated hacking gang, is disseminating malware-laced Notepad++ installations that infect targets.
This hacking gang, also known as APT-C-41 and Promethium, was previously detected delivering trojanized WinRAR installations in highly targeted attacks between 2016 and 2018.
Notepad++ is a popular free text and source code editor for Windows that is used by a wide spectrum of companies.
This service runs the keylogger component of the virus, ‘ntuis32.exe,’ as an overlapped window (using the WS MINIMIZEBOX style).
All user keystrokes are recorded by the keylogger and saved in hidden system files dumped in the ‘C:ProgramDataMicrosoftWindowsData’ folder. The infection can also steal files and other information from the computer.
‘winpickr.exe’ checks this folder on a regular basis, and when a new log file is found, the component opens a C2 connection to send the stolen data to the attackers.
The original log is erased after the transfer is complete to remove any indications of malicious behavior.
If you need to use Notepad++, download the installer from the project’s website.
Many other websites provide the software, some of which pretend to be official Notepad++ portals but may contain adware or other undesirable software.
The laced installer’s distribution URL has been taken down after being discovered by analysts, but the actors might swiftly register a new one.