Attack Chain

1. The user installs Notepad++ on their Windows system.
2. The gup.exe updater component, located within the Notepad++ installation directory, is executed to check for updates.
3. The updater connects to the Notepad++ update server to retrieve update information.
4. An attacker compromises the update server or performs a man-in-the-middle attack.
5. The compromised update server provides malicious instructions to gup.exe.
6. gup.exe creates a malicious executable or script in an unexpected location, such as the user’s temporary directory outside of normal update procedures.
7. The malicious file is executed, leading to further compromise such as installing a backdoor or stealing credentials.
8. The attacker gains initial access to the system and can perform collection and credential access.

Impact

A successful attack exploiting the Notepad++ updater can lead to the installation of malware, such as backdoors, allowing attackers to gain persistent access to the compromised system. This can lead to data theft, credential compromise, and further lateral movement within the network. The number of potential victims depends on the scope of the compromised update server or the success of the man-in-the-middle attack. Historically, supply chain attacks targeting widely used software have impacted thousands of users.

Recommendation

• Deploy the Sigma rule “Notepad++ Updater (gup.exe) Creates Uncommon Files” to your SIEM and tune for your environment. This rule detects file creation events by gup.exe in suspicious locations (see rule configuration).
• Monitor file_event logs for unusual file creation events initiated by gup.exe using the specified logsource.
• Implement network monitoring to detect and prevent man-in-the-middle attacks against the Notepad++ update server.