A new and sophisticated malware campaign is underway, with threat actors disguising malicious proxyware as legitimate Notepad++ software tools. This campaign, attributed to the threat actor Larva-25012, has been observed primarily targeting users in South Korea. The attackers are luring victims through deceptive advertisement pages and fake download portals that promote cracked software, ultimately hijacking their internet bandwidth without consent to generate revenue.
This method of exploiting network resources is known as proxyjacking, a technique that financially benefits attackers by enabling them to share victims’ internet bandwidth with external parties. It operates similarly to cryptojacking, which monetizes computing power, but in this case, the valuable asset is the user’s internet connection. The malware is distributed via GitHub repositories, presented as either MSI installers or ZIP archives that contain both genuine Notepad++ components and hidden malicious code.
Exploiting Trust: The Notepad++ Proxyware Deception
The primary vector for this malicious proxyware involves tricking users into downloading what they believe to be legitimate software. Websites posing as download portals for pirated software are used to distribute the malware. These sites often promote popular and useful tools, including Notepad++, to attract a broad user base. When unsuspecting individuals download these seemingly legitimate installers, they unknowingly introduce the proxyware onto their systems.
According to ASEC analysts, who identified and reported on this campaign, the attackers are employing evolving tactics to evade security measures. Initially relying on .NET-based malware, the threat actor has shifted to using C++ and Python variants. This progression is coupled with advanced injection techniques that target the Windows Explorer process, a core component of the Windows operating system responsible for managing the graphical interface and file system operations. By injecting malicious code into explorer.exe, the malware can operate with a higher level of privilege and stealth, making it more difficult to detect and remove.
The infection chain is initiated when a user downloads the deceptive Notepad++ installer. This downloaded package contains malicious DLL (Dynamic Link Library) files that leverage DLL side-loading techniques. This method tricks legitimate applications into loading malicious DLLs, allowing the malware to execute its payload. The malware then proceeds to inject shellcode into legitimate Windows processes. Subsequently, it deploys PowerShell scripts to install essential components such as NodeJS or Python. Multiple obfuscated loader files are created to manage the malware’s operations, communicating with command-and-control servers to retrieve instructions and install the proxyware modules that ultimately exploit the victim’s network connections.
Infection Mechanism and Persistence Strategies of Proxyware Malware
The proxyware malware employs two main distribution variants to infect systems: Setup.msi and Setup.zip. The MSI variant is designed to install a C++-based DLL which then registers itself in the Windows Task Scheduler. This entry is often given a seemingly innocuous name like “Notepad Update Scheduler,” and its execution is triggered via Rundll32.exe, a legitimate Windows utility used to run code from DLLs. This persistent mechanism ensures that the malware can relaunch itself even after the system reboots.
Once executed, this DLL injects shellcode into the AggregatorHost.exe process. This shellcode then generates a PowerShell script with the primary purpose of installing NodeJS on the compromised system. Following this, it creates obfuscated JavaScript malware files, commonly referred to as DPLoader. To further evade detection by antivirus software, the script manipulates Windows Defender policies. This includes adding exclusion paths to prevent scanning of malicious files, disabling security notifications to avoid alerting the user, and preventing the submission of malware samples to security vendors for analysis.
The ZIP variant presents a different but equally effective infection method. It contains both a Setup.exe file and a malicious loader named TextShaping.dll. When a user launches the Setup.exe, the malicious TextShaping.dll is automatically loaded and executed through DLL side-loading. This loader then decrypts embedded shellcode, which deploys a dropper directly into the system’s memory, bypassing the need to write potentially detectable files to disk. The dropper proceeds to install Python from official sources, creates a Python-based variant of DPLoader, and establishes a VBScript launcher within the Task Scheduler for persistent execution. Ultimately, the malware injects its final payload into the explorer.exe process, where the DigitalPulse proxyware then operates as an obfuscated program written in the Go programming language.
The continued refinement of these infection and persistence strategies highlights the adaptive nature of cyber threats. Users are advised to exercise extreme caution when downloading software, especially from unofficial sources. Sticking to official websites and trusted download platforms is crucial to avoid becoming a victim of such proxyware attacks. The ongoing evolution of these malicious techniques underscores the need for robust cybersecurity practices and constant vigilance in the digital landscape.