Michael Grafl

Non-malware schizos asking about why the Notepad++ malware payload was so interesting. Okay, we'll discuss it without getting too schizo. First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints. Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people. Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America. When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware. Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird. Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running. Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows: 1. Lotus Blossom pays close attention to really talented security researchers or... 2. Lotus Blossom has really good security researchers on payroll Both are totally possible. The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).