Chinese users searching for legitimate software like Notepad++ and VNote on Baidu are encountering a perilous landscape of malicious ads and bogus links. These deceptive tactics aim to distribute trojanized versions of the software, ultimately deploying Geacon, a variant of the infamous Cobalt Strike. Kaspersky researchers uncovered the insidious operation, highlighting deceptive websites such as vnote.fuwenkeji[.]cn, which lure users into downloading disguised packages that compromise their systems.
The fraudulent websites masquerade as legitimate sources, with URLs containing references to Notepad++ or VNote while actually distributing modified installers. Despite the apparent legitimacy of some download links pointing to the official Gitee repository, the reality is grim, as these packages contain malware. Moreover, the malicious activity extends beyond Notepad++ and VNote, with similar fake websites posing as sources for other software, leading users to download potentially harmful packages.
An analysis of the trojanized installers reveals their capability to retrieve further payloads from remote servers, facilitating extensive control over compromised systems. The Geacon backdoor exhibits a range of functionalities, including creating SSH connections, file operations, accessing clipboard content, and even taking screenshots. This sophisticated malware underscores the evolving threat landscape, with malvertising campaigns becoming increasingly adept at delivering various forms of malware, including the FakeBat malware disguised as popular software like Microsoft OneNote, Notion, and Trello.
In light of these developments, users are urged to exercise caution when downloading software from unfamiliar sources and remain vigilant against deceptive tactics employed by malicious actors. Collaborative efforts from cybersecurity researchers and industry stakeholders are crucial in combating such threats and safeguarding users from falling victim to malware attacks propagated through deceptive advertising tactics.
