Skip to content
Threat Feed
medium advisory

Notepad++ Updater Querying Uncommon Domains

The Notepad++ updater, gup.exe, makes DNS queries to domains not part of the legitimate update infrastructure, potentially indicating updater mechanism exploitation or suspicious network activity.

The Notepad++ updater (gup.exe) is designed to check for and install the latest versions of the Notepad++ software. A potential compromise of this updater mechanism could lead to supply chain attacks. This brief focuses on detecting instances where the Notepad++ updater makes DNS queries to domains outside the expected legitimate update infrastructure. This activity may indicate that the updater has been compromised and is being used to download or communicate with malicious resources. It is crucial for defenders to monitor for such anomalies, as a compromised updater can be a stealthy way for attackers to gain a foothold in the system. Identifying these unusual DNS queries allows for early detection and mitigation of potential threats.

Attack Chain

  1. The attacker compromises the Notepad++ update mechanism (gup.exe).
  2. A user launches Notepad++, triggering the updater (gup.exe) to run.
  3. The compromised gup.exe initiates a DNS query to a malicious domain (e.g., a domain ending in .azurewebsites.net).
  4. The DNS query resolves to an attacker-controlled server.
  5. The compromised gup.exe connects to the attacker-controlled server via HTTP/HTTPS.
  6. The attacker delivers a malicious payload disguised as an update.
  7. The compromised gup.exe executes the malicious payload.
  8. The malicious payload performs actions such as data collection or credential theft.

Impact

A compromised Notepad++ updater can lead to a supply chain attack, impacting any system where Notepad++ is installed. The attackers can leverage this access to deploy malware, steal credentials, or exfiltrate sensitive information. Due to the popularity of Notepad++, a successful attack could potentially affect a large number of users and organizations. This can lead to significant data breaches, financial losses, and reputational damage.

Recommendation

  • Deploy the Sigma rule Notepad++ Updater DNS Query to Uncommon Domains to your SIEM to identify suspicious DNS queries originating from gup.exe (logsource: dns_query, product: windows).
  • Investigate any alerts generated by the Sigma rule and validate the legitimacy of the queried domain.
  • Monitor network traffic from systems running Notepad++ for connections to uncommon domains, specifically those ending with .azurewebsites.net, block.opendns.com, or gateway.zscalerthree.net.
  • Implement network-level blocking for known malicious domains identified in investigations.

Detection coverage 2

Notepad++ Updater DNS Query to Uncommon Domains

medium

Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.

sigma tactics: collection, credential-access, initial-access techniques: T1195.002, T1557 sources: dns_query, windows

Notepad++ gup.exe DNS Queries to Uncommon Domains - Shorter Rule

medium

Detects when the Notepad++ updater (gup.exe) makes DNS queries to uncommon domains.

sigma tactics: collection, credential-access, initial-access techniques: T1195.002, T1557 sources: dns_query, windows

Detection queries are available on the platform. Get full rules →