Keypoints
- ASEC discovered a tampered mimeTools.dll bundled in official-looking Notepad++ packages, replacing the legitimate plugin with a malicious version.
- The malicious mimeTools.dll contains encoded shellcode stored in certificate.pem, which is Base64-decoded and AES-decrypted (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ) to produce executable shellcode.
- Because mimeTools.dll is loaded automatically by Notepad++, the injected code executes on program start, using indirect syscalls to bypass native-API monitoring.
- The initial shellcode overwrites the EntryPoint/export (GetBingMapsFactory) of BingMaps.dll, then performs thread injection into explorer.exe (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx) to run from explorer memory.
- The injected explorer.exe process reconstructs C2 URLs from obfuscated strings (selecting odd-numbered characters), sends Base64-encoded system info in request headers, and retrieves additional shellcode from C2 (currently empty at analyzed time).
- The malware checks running process names via a simple SHIFT/XOR hash to detect analysis/sandbox tools (e.g., vmtoolsd.exe, x64dbg.exe, Procmon.exe) and exits if such tools are present.
- IoCs include multiple MD5 hashes for packages and files (mimeTools.dll, certificate.pem) and a list of compromised WordPress-hosted C2 endpoints.
MITRE Techniques
- [T1574] Hijack Execution Flow – The attacker replaces the default plugin so the DLL is loaded automatically and malware runs on app start (‘mimeTools.dll is a default plug-in of Notepad++, it is automatically loaded when the program is launched.’).
- [T1055] Process Injection – The shellcode injects into explorer.exe using thread injection APIs to execute from a legitimate process (‘The shellcode being overwritten in turn performs thread injection into explorer.exe.’).
- [T1027] Obfuscated Files or Information – The embedded payload is obfuscated via Base64 and AES before being transformed into shellcode (‘Base64 Decoding; AES Decrypt (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ)’).
- [T1564] Hide Artifacts (Indirect Syscall) – Execution uses indirect syscall techniques to bypass AV by jumping directly to syscall code and avoiding monitored Native API hooks (‘it hooks ntdll and bypasses anti-malware products monitoring the Native API.’).
- [T1105] Ingress Tool Transfer – After initial execution, the malware contacts C2 and downloads additional shellcode for further execution (‘Ultimately, an additional shellcode is downloaded and executed from the C2 server.’).
- [T1497] Virtualization/Sandbox Evasion – The injected code computes simple hashes of running process names and terminates if known analysis tools or VM services are present (‘the function … has a process for checking analysis environments such as VM to terminate the process.’).
- [T1570] Lateral Tool Transfer / Code Modification – The malware modifies the EntryPoint and export (GetBingMapsFactory) of BingMaps.dll to redirect execution to shellcode (‘the code within the BingMaps.dll->GetBingMapsFactory() function is overwritten with the malicious shellcode.’).
Indicators of Compromise
- [MD5] Malicious package / file hashes – c4ac3b4ce7aa4ca1234d2d3787323de2 (npp.8.6.3.portable.x64.zip), 6136ce65b22f59b9f8e564863820720b (mimeTools.dll), and 4 more hashes.
- [File Name] Embedded malicious files – certificate.pem (contains encoded shellcode), mimeTools.dll (tampered Notepad++ plugin).
- [Package] Affected installers – npp.8.6.3.portable.x64.zip, npp.8.6.4.portable.x64.zip (malicious package versions identified).
- [C2 URL] Command-and-control endpoints (WordPress-hosted) – hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1, hxxps://pro**********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1, and several other similar endpoints.
ASEC analysis (technical rewrite):
The attacker replaced the default Notepad++ plugin mimeTools.dll inside distributed Notepad++ packages so the malicious DLL loads automatically when Notepad++ starts. The tampered DLL contains an encoded payload file (certificate.pem); the payload is Base64-decoded and AES-decrypted (key: wqviIfew62w0zgP97yw9G2nqlHFKkggQ) using Crypt32.dll/BCrypt.dll calls to produce in-memory shellcode. Execution employs indirect syscall jumps to bypass native-API monitoring, and the initial shellcode executes within the Notepad++ process (with an observed ~10-minute delay guard).
The in-memory shellcode overwrites the BingMaps.dll EntryPoint/export (GetBingMapsFactory) and uses a thread manipulation sequence (NtCreateThreadEx → NtGetContextThread → NtSetContextThread to set RIP → ResumeThread) to redirect execution into the overwritten export. That thread checks running processes via a simple SHIFT/XOR name hash to detect VMs and analysis tools (e.g., vmtoolsd.exe, x64dbg.exe, Procmon.exe) and exits if detected. When explorer.exe is targeted, the malware allocates memory in explorer (NtAllocateVirtualMemory), writes the shellcode (NtWriteVirtualMemory), and creates a thread to execute it (NtCreateThreadEx), moving malicious execution to explorer’s context.
From explorer memory the malware reconstructs obfuscated C2 URLs by selecting odd-numbered characters, sends Base64-encoded system info (computer name, user, admin status, language, system time) in HTTP headers, and searches the C2 response for a specific marker to extract additional shellcode (offset search for ‘on><!–gmail ‘). The analyzed C2 presented a WordPress-like login page (initially appearing as “WikiLoader”); at analysis time the additional shellcode offset was empty but the infrastructure delivered further payloads when active.
Read more: https://asec.ahnlab.com/en/64106/