[ad_1]
The AhnLab Security Intelligence Center (ASEC) has detected a sophisticated cyberattack targeting users of the popular text and code editor, Notepad++.
Hackers have successfully manipulated a default plugin within the Notepad++ package, potentially compromising the security of countless systems.
The plugin in question, โmimeTools.dll,โ is a standard component of Notepad++ that provides encoding functionalities, such as Base64.
It is automatically included and loaded when Notepad++ is run, which the attackers have exploited to their advantage.
By altering the mimeTools.dll file, they disguised the malicious code as a legitimate part of the Notepad++ package.
This type of attack, known as DLL Hijacking, takes advantage of the pluginโs automatic loading to execute the embedded malicious code without the userโs knowledge.
@import url(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’);
@import url(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’);
*
margin: 0; padding: 0;
text-decoration: none;
.container
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
.container:hover
box-shadow: 10px 10px 5px #e2ebff;
.container .title
color: #015689;
font-size: 22px;
font-weight: bolder;
.container .title
text-shadow: 1px 1px 1px lightgrey;
.container .title:after
width: 50px;
height: 2px;
content: ‘ ‘;
position: absolute;
background-color: #015689;
margin: 20px 8px;
.container h2
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
.container a
color: #170d51;
.container p
font-size: 18px;
line-height: 30px;
.container button
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
.container button:hover
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
.container button a
color: white;
hr
/ display: none; /
AI-Powered Protection for Business Email Security
Trustifiโs Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a userโs mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Attack Flow
Launching the Notepad++.exe file triggers the loading of the compromised mimeTools.dll, activating the hidden malware.
The attackers have embedded encrypted malicious shell code within the mimeTools.dll and the code necessary to decrypt and execute it.
ASECโs investigation revealed that the file named โcertificate.pemโ within the altered package contains the malicious shell code.
Despite the infection, the pluginโs original functionalities remain intact, with only the DllEntryPoint showing altered code.
This means that the malicious activities begin when the DLL is loaded, regardless of whether the user attempts to use any specific plugin feature.
The execution flow of the malware is as follows: upon running Notepad++, the infected mimeTools.dll is loaded, which then decrypts and executes the shell code from the certificate.pem file.
Subsequent stages of the attack involve further decryption and execution of additional shell code, facilitated by communication with a command and control (C2) server.
The C2 server, initially disguised as a Wiki siteโgiving rise to the malwareโs nickname โWikiLoaderโโhas since been found to display a WordPress login page.
At the time of analysis, the additional shell code at the specified offset in the C2 serverโs response was empty.
However, the potential for further malicious activities remains a significant concern.
The URLs of the C2 server are still accessible, indicating that the threat actors could update the payload or change their tactics anytime.
The discovery of this malware serves as a stark reminder of the importance of downloading software exclusively from official distribution sites.
Users are urged to exercise extreme caution when dealing with cracked versions or software from unknown sources.
ASEC has provided the following indicators of compromise (IoCs) for users to check their systems:
- MD5 hashes of the compromised package files and individual components.
- The URLs of the C2 server involved in the attack.
The security community is actively working to address this threat, and users of Notepad++ are strongly advised to verify their installationsโ integrity and update their software from the official Notepad++ website.
It is also recommended that a complete system scan be run using a reputable antivirus program to ensure no remnants of the malware remain.
This incident underscores the ever-evolving nature of cyber threats and the need for constant vigilance in the digital age. Users and organizations must stay informed and adopt robust security practices to protect against such insidious attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Hackers Hijacked Notepad++ Plugin to Execute Malicious Code appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
[ad_2]
Source link