Running Notepad++ loads the malicious mimeTools.dll, which decrypts and runs the shell code from the certificate.pem file. This is the malware's execution flow. Later on in the attack, communication with a command and control (C2) server makes it easier to decrypt more code and run more shell scripts. It has now been discovered that the C2 server displays a WordPress login page while having originally masqueraded as a Wiki site—hence the malware's moniker, "WikiLoader."

The extra shell code at the designated offset in the C2 server's response was empty at the time of examination. Still, there is reason to be concerned about the possibility of more nefarious activity. The fact that the C2 server's URLs are still reachable suggests that the threat actors could modify their strategy or update the payload at any time.

This malware's discovery is a clear reminder of how important it is to always download software from official distribution sites. Users are advised to proceed with the utmost caution when working with cracked software or software obtained from unidentified sources. Users of Notepad++ are strongly encouraged to upgrade their software from the official Notepad++ website and confirm the integrity of their installations, as the security community is actively working to address this problem.

It's also advised to use a reliable antivirus tool to perform a thorough system scan to make sure the malware has been completely eradicated. This incident emphasizes how cyber risks are constantly changing and how important it is to maintain ongoing attention in the digital world. To defend against such sneaky assaults, users and organizations need to be well-informed and have strong security procedures.

Impact

• Code Execution
• Unauthorized Access

Indicators of Compromise

SHA1

• e11ae6392aebab8a878bf4bfa3f6e68ced0c6658
• 2e4b1e2bbe9ec23d9b1d83a800c06afdf4aafa12
• fc86d79e67ebe6352343ce370c7ff32711171af9
• 12c8d43af0077c400fdf4d3e9c83fcef6111ba57
• a8473f2db5cc7d2cba76416be23d7c55fc38c8dc
• a9f9d07bc8a020ab42db8d217a8df8d334a3febb

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.