Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
A new version, 8.8.9, of the popular text editor Notepad++, has been released by its developers, fixing a flaw in the automatic update system . This issue came to light after some users and investigators discovered that, instead of downloading legitimate updates, the system was downloading malicious executables.
The first hints of the problem emerged in the Notepad++ community forums.
For example, one user reported that they found that the GUP.exe (WinGUp) update tool was running a suspicious-looking file, %Temp%AutoUpdater.exe, which had begun collecting system data.
The malware executed typical reconnaissance commands and saved the results in the a.txt file:
After collecting the data, curl.exe was used to send a file to temp[.]sh, a file and text sharing service previously seen in other malware campaigns. Because GUP uses the libcurl library, not curl.exe, and doesn’t collect such information at all, forum members speculated that the user had installed an unofficial, infected build of Notepad++ or that the update traffic was intercepted.
To reduce the risk of traffic interception, developer Don Ho released version 8.8.8 on November 18th, which downloads updates only from GitHub. However, this solution proved insufficient. Therefore, version 8.8.9 was released on December 9th, with stricter security measures: the editor will now not install updates unless they are signed by the developer’s certificate.
“Starting with this release, Notepad++ and WinGUP will check the signature and certificate of downloaded installers during the update process. If this check fails, the update will be aborted,” the official announcement reads.
It’s worth noting that in early December, renowned cybersecurity specialist Kevin Beaumont stated that he was aware of three organizations experiencing Notepad++-related incidents. “I’ve been contacted by three companies experiencing security issues on computers running Notepad++. It appears that editing processes were being used as the primary entry point,” Beaumont wrote. “As a result, the attackers were resorting to manual intervention.”
The researcher noted that all the affected organizations had interests in East Asia and that the malicious activity appeared targeted. The fact is that when Notepad++ checks for updates , it accesses https://notepad-plus-plus.org/update/getDownloadUrl.php?version= If a new version is available, the server returns an XML file with the path to the update:
Beaumont speculated that the automatic update mechanism may have been compromised to distribute malicious updates that would have allowed attackers remote access.
The specialist also noted that attackers often use malicious advertisements to distribute infected versions of Notepad++, which ultimately install malware. The official Notepad++ security bulletin also contains some uncertainty. The investigation is ongoing, and the exact method of traffic interception has not yet been determined.
It is strongly recommended that all users update to Notepad++ 8.8.9. Please also note that starting with version 8.8.7, all official binaries and installers must be signed with a valid certificate. If you have a previous custom root certificate installed, you must remove it.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
