Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.

Notepad++ addressed a flaw in its updater that allowed attackers to hijack update traffic due to improper authentication of update files in earlier versions.

The popular security researcher Kevin Beaumont first reported that several Notepad++ users faced security incidents. He later noted the attacks, targeting telecom and finance firms in East Asia, likely came from China. The expert also speculated that the attackers were exploiting a vulnerability in Notepad++.

“I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.” wrote Beaumont.

In mid-November, Notepad++ released an update to harden its GUP/WinGUP updater after discovering it could be hijacked. GUP contacts a Notepad++ URL, retrieves gup.xml with the update download link, saves the file in %TEMP%, then executes it. If an attacker intercepts this traffic, previously HTTP, now HTTPS, but still interceptable at the ISP level, they can alter the <Location> field to deliver a malicious file.

Beaumont explained that although downloads are signed, older Notepad++ versions used a self-signed root certificate publicly available on GitHub, weakening validation. Because traffic to notepad-plus-plus.org is rare, ISP-level redirection is feasible for well-resourced actors.

Notepad++ 8.8.8 fixes the updater issue by forcing updates to download only from GitHub, making interception far harder.

“I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.” continues Beaumont?

Signs of compromise include:

• gup.exe contacting domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com
• gup.exe spawning unusual processes (it should only launch explorer.exe and legitimate, properly signed Notepad++ installers)
• Suspicious files like update.exe or AutoUpdater.exe in %TEMP%
• Use of curl.exe calling out to temp.sh for reconnaissance

However, is still unclear how attackers hijacked updater traffic in the wild. Beaumont speculates threat actors may have intercepted traffic at the ISP level to deliver malicious updates, though this would require substantial resources.

Notepad++ confirmed that its WinGUp updater was sometimes redirected to malicious servers, causing users to download compromised executables. The developers found a flaw in how the updater verified the authenticity and integrity of update files. If an attacker intercepted the traffic between the updater and Notepad++’s servers, they could force it to download and run a malicious binary instead of the legitimate update.

“The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file.” reads the report published by the Notepad++. “In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Notepad++)