Notepad++ Updater Querying Uncommon Domains
The Notepad++ updater, gup.exe, makes DNS queries to domains not part of the legitimate update infrastructure, potentially indicating updater mechanism exploitation or suspicious network activity.
The Notepad++ updater (gup.exe) is designed to check for and install the latest versions of the Notepad++ software. A potential compromise of this updater mechanism could lead to supply chain attacks. This brief focuses on detecting instances where the Notepad++ updater makes DNS queries to domains outside the expected legitimate update infrastructure. This activity may indicate that the updater has been compromised and is being used to download or communicate with malicious resources. It is crucial for defenders to monitor for such anomalies, as a compromised updater can be a stealthy way for attackers to gain a foothold in the system. Identifying these unusual DNS queries allows for early detection and mitigation of potential threats.
Attack Chain
- The attacker compromises the Notepad++ update mechanism (gup.exe).
- A user launches Notepad++, triggering the updater (gup.exe) to run.
- The compromised gup.exe initiates a DNS query to a malicious domain (e.g., a domain ending in
.azurewebsites.net). - The DNS query resolves to an attacker-controlled server.
- The compromised gup.exe connects to the attacker-controlled server via HTTP/HTTPS.
- The attacker delivers a malicious payload disguised as an update.
- The compromised gup.exe executes the malicious payload.
- The malicious payload performs actions such as data collection or credential theft.
Impact
A compromised Notepad++ updater can lead to a supply chain attack, impacting any system where Notepad++ is installed. The attackers can leverage this access to deploy malware, steal credentials, or exfiltrate sensitive information. Due to the popularity of Notepad++, a successful attack could potentially affect a large number of users and organizations. This can lead to significant data breaches, financial losses, and reputational damage.
Recommendation
- Deploy the Sigma rule
Notepad++ Updater DNS Query to Uncommon Domainsto your SIEM to identify suspicious DNS queries originating fromgup.exe(logsource:dns_query, product:windows). - Investigate any alerts generated by the Sigma rule and validate the legitimacy of the queried domain.
- Monitor network traffic from systems running Notepad++ for connections to uncommon domains, specifically those ending with
.azurewebsites.net,block.opendns.com, orgateway.zscalerthree.net. - Implement network-level blocking for known malicious domains identified in investigations.
Detection coverage 2
Notepad++ Updater DNS Query to Uncommon Domains
mediumDetects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
Notepad++ gup.exe DNS Queries to Uncommon Domains - Shorter Rule
mediumDetects when the Notepad++ updater (gup.exe) makes DNS queries to uncommon domains.
Detection queries are available on the platform. Get full rules →