
Researchers have revealed that threat actors may abuse Notepad++ plugins to bypass security mechanism and achieve persistence on their victim machine.
A security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” in an advisory.
The plugin pack itself is just a .NET package for Visual Studio that provides a basic template for building plugins. APT groups have leveraged Notepad++ plugins for nefarious purposes in the past.
StrongPity APT group is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine.This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.
Using the C# programming language, the security experts created a dynamic link library (DLL) running a PowerShell command on the first initial press of any key inside Notepad++.
Executing Notepad++ as ‘administrator’ and re–ran the payload, effectively managing to achieve administrative privileges on the affected system.
To mitigate this threat, the security experts said companies should monitor unusual child processes of Notepad++ and pay special attention to shell product types.
This research was documented by researchers from Cybereason
Indicators of Compromise
Npp_Persistence_Plugin.dll 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF