Threat Research

The forgotten malvertising campaign

Securonix

An under-the-radar malvertising campaign targets Notepad++ users via compromised ad accounts, delivering time-sensitive .hta payloads and decoy Notepad++ pages. It fingerprint VM environments, uses a unique per-user ID, and communicates with a remote C2 domain (mybigeye.icu) that may support tooling like Cobalt Strike. #NotepadPlusPlus #Notepadxtreme #mybigeye.icu #CobaltStrike #Malvertising #DrivebyCompromise

Keypoints

  • The campaign targets Notepad++ users through malicious ads pushed via compromised ad accounts, featuring a Notepad++ decoy site.
  • A first-level filter checks the user’s IP address (discards VPNs) to present a decoy page before any payload is shown.
  • A second-level check fingerprinting runs to detect virtualization or emulation, guiding whether the real payload will be delivered.
  • Payloads are delivered as custom, time-sensitive .hta scripts with unique IDs for each user download (e.g., Notepad_Ver_[10 chars][13 digits].hta).
  • The HTA payloads are executed via mshta.exe and are highly obfuscated, showing 0 detection on VirusTotal during analysis.
  • The campaign uses a remote C2 infrastructure (mybigeye.icu on a nonstandard port) and may enable tools like Cobalt Strike for further access.
  • Fake Notepad++ hosting (notepadxtreme.com) and multiple ad domains are used to evade verification and widen reach.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising campaign delivering decoy pages and payloads when users click ads. “A first level of filtering happens when the user clicks on one of these ads.”
  • [T1036] Masquerading – Decoy Notepad++ site hosted at notepadxtreme[.]com to impersonate legitimate software. “replica of the real Notepad++ website hosted at notepadxtreme[.]com”
  • [T1497.001] Virtualization/Sandbox Evasion – VM/emulator fingerprinting to decide payload delivery. “Fingerprinting for VM detection… second level of filtering…”
  • [T1218.005] Mshta – Execution via HTA payload using mshta.exe. “C:WindowsSysWOW64mshta.exe “C:WindowsSystem32mshta.exe””
  • [T1105] Ingress Tool Transfer – Payload downloaded per user with a unique ID; time-sensitive delivery. “Another thing that sets apart this campaign from others is the way the payload is being downloaded.”
  • [T1071.001] Web Protocols – C2 communications to mybigeye.icu on a custom port; client_id usage in the URL. “connection to a remote domain (mybigeye.icu) on a custom port… client_id=…”
  • [T1027] Obfuscated/Compressed Files and Information – The HTA script is well obfuscated with low detection. “The script is well obfuscated and shows 0 detection on VirusTotal.”

Indicators of Compromise

  • [Domain] Ad domains – switcodes[.]com, karelisweb[.]com, jquerywins[.]com, mojenyc[.]com
  • [Domain] Fake Notepad++ site – notepadxtreme[.]com
  • [Domain] Script C2 – mybigeye[.]icu

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/the-forgotten-malvertising-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint