Infrastructure delivering updates for Notepad++—a widely used text editor for Windows—was compromised for six months by suspected China-state hackers who used their control to deliver backdoored versions of the app to select targets, developers said Monday.
“I deeply apologize to all users affected by this hijacking,” the author of a post published to the official notepad-plus-plus.org site wrote Monday. The post said that the attack began last June with an “infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” The attackers, whom multiple investigators tied to the Chinese government, then selectively redirected certain targeted users to malicious update servers where they received backdoored updates. Notepad++ didn’t regain control of its infrastructure until December.
The attackers used their access to install a never-before-seen payload that has been dubbed Chrysalis. Security firm Rapid 7 described it as a “custom, feature-rich backdoor.”
“Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility,” company researchers said.
Hands-On Keyboard Hacking
Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.
According to independent researcher Kevin Beaumont, three organizations told him that devices inside their networks that had Notepad++ installed experienced “security incidents” that “resulted in hands on keyboard threat actors,” meaning the hackers were able to take direct control using a web-based interface. All three of the organizations, Beaumont said, have interests in East Asia.
The researcher explained that his suspicions were aroused when Notepad++ version 8.8.8 introduced bug fixes in mid-November to “harden the Notepad++ Updater from being hijacked to deliver something… not Notepad++.”
The update made changes to a bespoke Notepad++ updater known as GUP, or alternatively, WinGUP. The gup.exe executable responsible reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml. The file specified in the URL is downloaded to the %TEMP% directory of the device and then executed.
Beaumont wrote:
If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property.
This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.
Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources.
Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the details from Notepad++, it’s now clear that the hypothesis was spot on.
Beaumont also warned that search engines are so “rammed full” of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks. A rash of malicious Notepad++ extensions only compounds the risk.
