Emphasization of Trojan ads on Chinese users via misleading Notepad++ and VNote installers

Chinese customers search for genuine software like Notepad++ and VNote on search engines such as Baidu. Malicious adverts and fake links are targeting these search engines. As a result, it leads to the distribution of trojanized versions of the program and, eventually, the deployment of Geacon, a Golang-based deployment of Cobalt Strike.

Kaspersky researcher Sergey Puzan explained, "The malicious site found in the notepad++ search is distributed through an advertisement block."

Upon opening, users will discover an interesting inconsistency:-

The website URL contains the line vnote, the headline offers a download of Notepad‐‐ which is known as an analog of Notepad++. Besides, it was also released as open-source software.

The website, vnote.fuwenkeji[.]cn, offers download links to the software's Windows, Linux, and macOS versions. One of the interesting things about this software is that it also comes with the Windows edition. This edition is connected to the official Gitee repository that holds the Notepad-- installer ("Notepad--v2.10.0-plugin-Installer.exe").

On the other hand, Linux and macOS versions result in malicious installation packages stored at vote-1321786806.cos.ap-hongkong.myqcloud[.]com.


Similarly, the phony VNote look-alike websites ("vnote[.]info" and "vnotepad[.]com") lead to the same set of myqcloud[.]com links. Presently, it is directed to a Windows installation housed on the domain. However, the links to possibly malicious versions of VNote are no longer available.

An investigation of the modified Notepad-- installers suggests that they are intended to fetch a next-stage payload from a remote server, like Geacon.

What is the best part of this modified Notepad? Well, It can establish- SSH connections, Conduct file operations, Enumerate processes, Access clipboard content, Execute files, Upload and download files, Capture screenshots, and Facilitate command and control (C2).

The revelation comes as malvertising campaigns have also served as a conduit for other malware, including FakeBat (aka EugenLoader) malware. The interesting part is that it uses MSIX installation packages disguised as Microsoft OneNote, Notion, and Trello.