Trojanized open-source software is tricky to spot. This is because it takes on the façade of legitimate, non-malicious software, making it especially stealthy and useful for targeted attacks. However, a closer investigation can reveal suspicious behavior that exposes their malicious intent.

How are open-source software trojanized? How can we detect them? To answer these questions, let us walk through a recent investigation we conducted that involved this file type.

The investigation

In our analysis of an incident, we found a file named notepad.exe sticking like a sore thumb. As most already know, Notepad is a well-known legitimate application. However, some malware authors camouflage malicious files by using the name of legitimate software such as notepad.exe to evade detection.

Fig-1-Telemetry-Data — Figure 1. Telemetry data showing the suspicious notepad.exe file

The notepad.exe file was dropped through ntoskrnl.exe, short for Windows NT operating system kernel executable. This was done by either exploiting ntoskrnl.exe or via network shares. Based on the telemetry data we obtained, it’s most probably the latter. Performing Root Cause Analysis (RCA) shows that this malicious notepad.exe file has done suspicious actions by calling the following tools:

Executable File	Function
ipconfig.exe	gets Windows IP Configuration
net.exe	enumerates local and global groups in the domain lists the settings of server and workstation service identifies all the shares on the local machine and in the domain names user local and domain user accounts
reg.exe	dumps import registry keys/entries to a file
systeminfo.exe	gathers operating system configuration information for a local or remote machine, including service pack levels
tasklist.exe	gets a list of currently running processes on either a local or remote machine

Table 1. Executable file names and functions

The notepad.exe file’s link to these processes and their functions indicates that the file is a typical backdoor that gets commands from a malicious remote user. However, something caught our attention. The details listed in the file properties of notepad.exe show this:

Fig-2-Notepad-properties — Figure 2. Notepad.exe properties

The file description, product name, and original filename mention Notepad++, an open-source software used as a source code editor. It can also be observed that some of the file’s details are dubious. For example, Notepad++ files are usually named as “notepad++.exe” and not “notepad.exe” as seen in this sample. The version — v7.8.6 released in April — is also old; as of writing, the latest version is v7.9.1, released in early November.

Executing the file in question shows this:

Fig-3-Executed-notepad — Figure 3. Executed notepad.exe file

The user interface of the file looks and functions convincingly like a typical legitimate Notepad++ file. An initial look reveals nothing suspicious. But in terms of behavior, we discovered that the sample does something that a non-malicious Notepad++ won’t do: it searches for a file named config.dat located in c:\windows\debug folder. This behavior is notable as the said file figures in the analysis of the sample’s code.

Fig-4-config-file — Figure 4. Searching for config.dat file

Code analysis

Decompiling the code of this malicious Notepad++ file shows the following code:

Fig-5-Code-snippet-malicious-notepad — Figure 5. Code snippet of the malicious Notepad++ file

The code snippet taken from a typical non-malicious Notepad++ file is shown below:

Fig-6-Code-snippet-non-malicious-notepad — Figure 6. Code snippet of a typical non-malicious Notepad++ file

These code snippets bear many similarities. However, the malicious Notepad++ file has additional code that loads an encrypted blob file (config.dat) that decrypts the code and executes it in the memory so it can perform its backdoor routines. This reminds us of some older malware types like PLUGX.

We observed two instances using the same loader but delivering different payloads. One of the payloads is detected as TrojanSpy.Win32.LAZAGNE.B, while the other is detected as Ransom.Win32.EXX.YAAK-B (Defray ransomware). Further investigation also revealed other blob files with the same loader which lead to different payloads.

We suspect that the file in this incident got into the organization through a targeted watering hole attack. After the initial machine was infected, propagating the malicious notepad++ and config.dat via admin shares would be easy. The notepad.exe file that we investigated came from malicious sources and are not associated with official distributing sites of Notepad and Notepad++.exe.

Weaponizing open-source software

Due to its uncanny resemblance to a legitimate Notepad++ file, the analyzed sample can be easily mistaken as a non-malicious file, especially by employees with limited technical know-how. Threat actors achieved this disguise by trojanizing open-source software. Notepad++’s source code is available publicly; thus, anyone (including malware authors) can access it.

Threat actors can look for open source code of widely-used software and trojanize it by adding malicious code that can perform functions like loading an encrypted blob file. This means that most of the resulting file’s binary code is outright non-malicious, and the malicious code simply loads a file, an activity that does not seem to be too suspicious. Additionally, encrypted blob files don’t have file headers. These make it difficult for antimalware solutions, including AI/ML-based ones and those that only focus on a single protection layer, to detect. To block these types of threats, solutions that grant visibility across layers would be helpful, as security teams can use them to correlate data and behavior within the environment.

Recommendations

Users should only download files, applications, and software (such as open-source software) from trusted and legitimate sources to avoid these types of threats. For example, Notepad++ users can download relevant files from their official website. Enterprises can create and disseminate a list of approved downloading sites to their employees. As a further security measure, companies can also require the approval of IT teams before employees can install any software on office devices. For security and IT Teams, it is also strongly recommended to validate the downloaded binary with checksums, as good open source projects maintain checksums of their official released binaries.

We also recommend Trend Micro™ XDR, which collects and correlates data across endpoints, emails, cloud workloads, and networks, providing better context and enabling investigation in one place. This, in turn, allows teams to detect advanced and targeted threats earlier.

Indicators of Compromise

File name	SHA-256	Trend Micro Pattern Detection	Trend Micro Machine Learning Detection
notepad.exe (malicious, non-legitimate file named as such)	bacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
config.dat	64ba94000e2815898fb17e93deaa44ac0e1b4c55316af727b908dfe74c3b7ef6	Trojan.Win32.VATET.ENC	N/A
config.dat	33234dc94d926f1fc2831f40e27080739b415d485aa457d14a83617a3996089b	Trojan.Win32.VATET.ENC	N/A
release.exe	09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468	TrojanSpy.Win32.LAZAGNE.B	Troj.Win32.TRX.XXPE50FFF038
virus2.dll	1c3331b87dc55a8cc491846f2609d6226f66eb372716df349567ed619dd1b731	Ransom.Win32.EXX.YAAK-B	Troj.Win32.TRX.XXPE50FFF038

Other related hashes:

SHA-256	Trend Micro Patten Detection	Trend Micro Machine Learning Detection
0b42bf15b77cfe9f9e693f2776691647e78a91be27f5bdb8d1a366be510a773f	Trojan.Win32.VATET.A	Troj.Win32.TRX.XXPE50FFF038
10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525	Trojan.Win32.VATET.A	BKDR.Win32.TRX.XXPE50FFF038E0002
19938becb018e3459b49381c7efffabbe44a6450362b769ba85a3f1240b068d0	Trojan.Win32.VATET.A	Troj.Win32.TRX.XXPE50FFF038
2f149a79f721bb78eb956f70183b531fb6a1b233ceb4a3d6385759a0b0c16fd3	Trojan.Win32.VATET.SM	Troj.Win32.TRX.XXPE50FFF038
37e8d3ae4c34441b30098d7711df8ef0bcc12c395f265106b825221744b956bc	Trojan.Win32.VATET.A	BKDR.Win32.TRX.XXPE50FFF038E0002
382d9bf5da142d44de5fda544de4fffe2915a3ffc67964b993f3c051aa8c2989	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
42f5f1b08c9cee876bafdb6dc4188e8e29d26a07951e1083e08e2a4b0cb6d0ff	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002 (GENERIC: Hit Bad Auto Shield)
4421720e0321ac8b3820f8178eb8a5ff684388438b62c85f93df9743a1d9fdb9	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
4fb94877cc150f591e5b61dc5641f33e93e67ae1912c2e122e7ef2a236046f1a	Trojan.Win32.VATET.A	BKDR.Win32.TRX.XXPE50FFF038E0002
52d3ebe824ad60a939d64e73336e790884e3674b2d22dbe6e3c6b22061124161	Trojan.Win32.VATET.SM	n/a
57eea67e3eebde707c3fb3473a858e7f895ae12aad37cc664f9c0512c0382e6a	Trojan.Win32.VATET.SM	Troj.Win32.TRX.XXPE50FFF038
6ac07424e5c9b87d76645aa041772ac8af12e30dc670be8adf1cf9f48e32944b	Backdoor.Win32.VATET.CFH	BKDR.Win32.TRX.XXPE50FFF038E0002
bacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
ea6c3b993d830319b08871945cf2726dd6d8e62e8fed8fc42bcb053c38c78748	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955	Trojan.Win32.VATET.A	BKDR.Win32.TRX.XXPE50FFF038E0002
ef7e21d874a387f07a9f74f01f2779a280ff06dff3dae0d41906d21e02f9c975	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002
f0a25444cf58b61ff6cdd86ff1cfa53a51ad426817a33bd0e098f4f0ff286f22	Trojan.Win32.VATET.SM	BKDR.Win32.TRX.XXPE50FFF038E0002

Weaponizing Open Source Software for Targeted Attacks

The investigation

Code analysis

Weaponizing open-source software

Recommendations

Indicators of Compromise

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific