Friday, October 11, 2024
Homecyber securityHackers Hijacked Notepad++ Plugin to Execute Malicious Code

Hackers Hijacked Notepad++ Plugin to Execute Malicious Code

Published on

Malware protection

The AhnLab Security Intelligence Center (ASEC) has detected a sophisticated cyberattack targeting users of the popular text and code editor, Notepad++.

Hackers have successfully manipulated a default plugin within the Notepad++ package, potentially compromising the security of countless systems.

The plugin in question, “mimeTools.dll,” is a standard component of Notepad++ that provides encoding functionalities, such as Base64.

- Advertisement - SIEM as a Service

It is automatically included and loaded when Notepad++ is run, which the attackers have exploited to their advantage.

Free Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register for Free

By altering the mimeTools.dll file, they disguised the malicious code as a legitimate part of the Notepad++ package.

Malicious vs Official Package

This type of attack, known as DLL Hijacking, takes advantage of the plugin’s automatic loading to execute the embedded malicious code without the user’s knowledge.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Attack Flow

Launching the Notepad++.exe file triggers the loading of the compromised mimeTools.dll, activating the hidden malware.

The attackers have embedded encrypted malicious shell code within mimeTools.dll and the code necessary to decrypt and execute it.

ASEC’s investigation revealed that the file named “certificate.pem” within the altered package contains the malicious shell code.

Despite the infection, the plugin’s original functionalities remain intact, with only the DllEntryPoint showing altered code.

This means that the malicious activities begin when the DLL is loaded, regardless of whether the user attempts to use any specific plugin feature.

Execution Flow

The execution flow of the malware is as follows: upon running Notepad++, the infected mimeTools.dll is loaded, which then decrypts and executes the shell code from the certificate.pem file.

Communication with a command and control (C2) server facilitates further decryption and execution of additional shell code during subsequent stages of the attack.

The C2 server, initially disguised as a Wiki site—giving rise to the malware’s nickname “WikiLoader“—has since been found to display a WordPress login page.

At the time of analysis, the additional shell code at the specified offset in the C2 server’s response was empty.

However, the potential for further malicious activities remains a significant concern.

The URLs of the C2 server are still accessible, indicating that the threat actors could update the payload or change their tactics anytime.

The discovery of this malware serves as a stark reminder of the importance of downloading software exclusively from official distribution sites.

Users are urged to exercise extreme caution when dealing with cracked versions or software from unknown sources.

ASEC has provided the following indicators of compromise (IoCs) for users to check their systems:

  • MD5 hashes of the compromised package files and individual components.
  • The URLs of the C2 server involved in the attack.

The security community is actively working to address this threat, and users of Notepad++ are strongly advised to verify their installations’ integrity and update their software from the official Notepad++ website.

It is also recommended that a complete system scan be run using a reputable antivirus program to ensure no remnants of the malware remain.

This incident underscores the ever-evolving nature of cyber threats and the need for constant vigilance in the digital age. Users and organizations must stay informed and adopt robust security practices to protect against such insidious attacks.

Secure your emails in a heartbeat! To find your ideal email security vendo,Take Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...