Hackers have manipulated a popular Notepad++ plugin, injecting malicious code that compromises users’ systems upon execution.
The AhnLab Security Intelligence Center (ASEC) researchers have revealed that the “mimeTools.dll” plugin, which is widely used, was modified to carry out the attack.
Notepad++, a text and source code editor favored by programmers and writers for its versatility and plugin support, became an unwitting vehicle for cybercriminals.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Malicious vs Legitimate Package
The altered “mimeTools.dll” plugin, a default component of Notepad++, was discovered to be masquerading as a legitimate package, deceiving users into downloading and installing the compromised version.
The mimeTools plugin, known for its encoding functionalities such as Base64, is automatically loaded when Notepad++ is launched. Attackers exploited this behavior using a technique known as DLL Hijacking.
When Notepad++.exe is launched, the “mimeTools.dll” file is automatically loaded, triggering the activation of the embedded malicious code, without any further user action.
The attackers ingeniously added encrypted malicious Shell Code and the code to decrypt and execute it within the “mimeTools.dll” file.
ASEC’s investigation highlighted a file named “certificate.pem” within the altered package as the container of the malicious shell code.
Despite the manipulation, the plugin’s original functionalities remained intact, with only the DllEntryPoint code being altered. This stealthy approach ensures that the malicious activities commence the moment the DLL is loaded, unbeknownst to the user.
The execution flow of the malicious code begins with the launching of Notepad++ and the subsequent loading of the “mimeTools.dll.”
The DLL then decrypts and executes the Shell Code contained in the “certificate.pem” file, initiating the attack.
As cybercriminals continue to evolve their tactics, the cybersecurity community remains committed to uncovering and mitigating such threats, safeguarding users’ digital experiences.
IoC
File diagnosis
– Trojan/Win.WikiLoader.C5594131
– Trojan/Win.WikiLoader.R642896
– Trojan/Bin.ShellCode
[MD5]
– c4ac3b4ce7aa4ca1234d2d3787323de2 : package file(npp.8.6.3.portable.x64.zip)
– 6136ce65b22f59b9f8e564863820720b : mimeTools.dll
– fe4237ab7847f3c235406b9ac90ca8 45: certificate.pem
– d29f25c4b162f6a19d4c6b96a540648c: package file(npp.8.6.4.portable.x64.zip )
– 8b7a358005eff6c44d66e44f5b266d33 : mimeTools.dll
– d5ea5ad8678f362bac86875cad47ba21 : certificate.pem
[C&C]
– hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1
– hxxps://pro** ********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1
– hxxps://www.era********.eu/wp-content/themes /twentytwentyfour/dqyzqp.php?id=1
– hxxps://www.mar**********.it/wp-content/themes/twentytwentyfour/c2hitq.php?id=1
– hxxps:/ /osa*******.com/wp-content/themes/twentytwentythree/ovqugo.php?id=1
– hxxps ://www.ala************.com/ wp-content/themes/twentytwentyfour/34uo7s.php?id=1
– hxxps://13*******.org/wp-content/themes/twentytwentythree/t51kkf.php?id=1
– hxxps:/ /alt**************.com/wp-content/themes/twentytwentyfour/c9wfar.php?id=1
– hxxps://www.am*******. com/wp-content/themes/twentyten/b9un4f.php?id=1
– hxxps://lu*******************.com/wp-content/themes /twentytwentytwo/pam8oa.php?id=1
– hxxps://www.yu*******.de/wp-content/themes/twentytwentytwo/n2gd2t.php?id=1
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide