October 6, 2022

TheCyberThrone

Thinking Security ! Always

Malicious Notepad++ plugins enables persistence

Researchers have revealed that threat actors may abuse Notepad++ plugins to bypass security mechanism and achieve persistence on their victim machine.

A security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” in an advisory.

Advertisements

The plugin pack itself is just a .NET package for Visual Studio that provides a basic template for building plugins. APT groups have leveraged Notepad++ plugins for nefarious purposes in the past.

StrongPity APT group is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine.This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.

Using the C# programming language, the security experts created a dynamic link library (DLL) running a PowerShell command on the first initial press of any key inside Notepad++. 

Executing Notepad++ as ‘administrator’ and re–ran the payload, effectively managing to achieve administrative privileges on the affected system.

Advertisements

To mitigate this threat, the security experts said companies should monitor unusual child processes of Notepad++ and pay special attention to shell product types.

This research was documented by researchers from Cybereason

Indicators of Compromise

Npp_Persistence_Plugin.dll 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF

%d bloggers like this: