Keypoints
- Notepad++ plugin mimeTools.dll in specific portable packages was modified to include encrypted shellcode and a certificate.pem file containing payload data.
- The attacker altered only DllEntryPoint so the malicious code runs automatically when notepad++.exe loads the plugin.
- Shellcode in certificate.pem is Base64-decoded and AES-decrypted (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ) using Crypt32.dll and BCrypt.dll then executed in the Notepad++ process.
- The malware uses indirect syscalls (jmp to syscall) to bypass AV/monitoring and then overwrites BingMaps.dll EntryPoint / GetBingMapsFactory() with shellcode to perform thread-based injection into explorer.exe.
- The injected code performs sandbox/VM checks (terminating when analysis tools/processes are present), allocates memory in explorer.exe, writes shellcode, and starts a thread to run it.
- From explorer.exe the malware reconstructs C2 URLs (by concatenating odd characters), sends Base64-encoded system info in request headers, and downloads additional shellcode from WordPress-hosted C2 pages.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – The attacker supplied a malicious mimeTools.dll that is “automatically loaded when you run notepad++,” allowing execution when notepad++.exe starts (‘…mimeTools.dll is automatically loaded when you run notepad++’).
- [T1055.004] Process Injection: Thread Execution Hijacking – The overwritten shellcode “performs Thread Injection into explorer.exe again,” using NtCreateThreadEx/NtGetContextThread/NtSetContextThread to set RIP and resume execution (‘…performs Thread Injection into explorer.exe again’).
- [T1027] Obfuscated Files or Information – The malware uses indirect syscalls (jmp to syscall) to evade monitoring and antivirus by “directly set[ting] the argument values needed to call the syscall” and bypass native API hooks (‘…the jmp statement is used to branch to the syscall…bypasses anti-virus products’).
- [T1497] Virtualization/Sandbox Evasion – The injected GetBingMapsFactory() code checks for analysis environments and terminates if specific processes are present (‘…there is a process to recognize the analysis environment such as VM and terminate the process’).
- [T1105] Ingress Tool Transfer – Additional shellcode is downloaded from remote C2 servers after initial execution in explorer.exe (‘Finally, additional ShellCode is downloaded and executed from the C2 server’).
- [T1041] Exfiltration Over C2 Channel – The malware collects system information, Base64-encodes it, and inserts it into the request header sent to C2 (‘Information collected from the user’s PC is Base64 encoded and delivered to the attacker’).
Indicators of Compromise
- [MD5 hashes] Malicious package and component hashes – 6136ce65b22f59b9f8e564863820720b (mimeTools.dll), fe4237ab7847f3c235406b9ac90ca845 (certificate.pem), and 4 more hashes.
- [File names] Tampered plugin and payload container – mimeTools.dll (malicious Notepad++ plugin), certificate.pem (contains encrypted shellcode), npp.8.6.3.portable.x64.zip (compromised package).
- [C2 URLs] WordPress-hosted C2 endpoints used to serve payloads – hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1, hxxps://pro** ********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1, and multiple similar WordPress endpoints.
The modified mimeTools.dll was placed inside specific Notepad++ portable packages so it loads automatically with notepad++.exe; only DllEntryPoint was changed to trigger malicious behavior without altering normal export functions. The actor embedded an encrypted payload in certificate.pem and implemented a runtime decryption chain: Base64 decode followed by AES decryption (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ) using Crypt32.dll and BCrypt.dll, then marked the memory executable and jumped into the resulting shellcode.
To evade detection and gain persistence in memory, the malware uses indirect syscalls (jmp to syscall) to bypass native API monitoring, then overwrites the EntryPoint/GetBingMapsFactory() in BingMaps.dll with shellcode. It creates a thread and manipulates thread context (NtCreateThreadEx, NtGetContextThread, NtSetContextThread, ResumeThread) to set RIP to the injected GetBingMapsFactory() code, which performs environment checks (terminating if VM/debugging tools are present), locates explorer.exe, and injects shellcode into explorer.exe via NtAllocateVirtualMemory and NtWriteVirtualMemory before executing it with NtCreateThreadEx.
Once running inside explorer.exe, the implant reconstructs C2 URLs by concatenating odd-index characters from an encoded string, adds Base64-encoded system details (computer name, user name, admin group membership, language, system time) to HTTP headers, and requests additional shellcode from WordPress-based C2 pages (the response parsing looks for a specific offset string such as “on><!–gmail ” to extract payload). At the time of analysis the C2 pages were reachable but contained no additional shellcode in the expected offset.
Read more: https://asec.ahnlab.com/ko/63738