Analysts from the Cybereason GSOC team have examined a unique method that makes use of Notepad++ plugins to evade and persist against security safeguards on a computer.
This report, called Threat Analysis, is a part of a series titled "Purple Team Series" which analyzes current attack methods, how hackers use them, and how to spot when they are being utilized.
Threat Analysis Reports are published by the Cybereason Global Security Operations Center (GSOC) Team to provide information on emerging threats. These risks are examined in the Threat Analysis Reports, which also offer useful advice for defending against them.
Plugins are merely modules that are created specifically using programming languages like C# or installed from the community-maintained approved list. The %PROGRAMFILES%Notepad++plugins directory is where these plugins are kept.
Threat Analysis
The organization stated in an advisory on Wednesday that a security researcher going by the moniker of RastaMouse successfully showed how to create a malicious plugin that can be used as a persistence mechanism using the open-source project Notepad++ Plugin Pack.
The plugin bundle alone is essentially a Visual Studio.NET package that offers a simple framework for creating plugins. However, advanced persistent threat (APT) organizations have in the past used Notepad++ plugins for evil.
According to the Cybereason advice, "The APT group StrongPity is known to exploit a genuine Notepad++ installer accompanied by malicious executables, enabling it to remain after a reboot on a PC."
The Cybereason team examined the Notepad++ plugin loading process and created an attack scenario based on it for their advisory.
A custom Notepad++ command can be activated by using the SCI ADDTEXT API in tandem with Notepad++. Researchers developed a DLL in C# that, upon pressing any key inside Notepad++ for the first time, will execute a PowerShell command.
The PowerShell command will run a Meterpreter payload in an expert attack scenario. To ensure that the availability of our C2 would not be impacted by repeated connection attempts, researchers set this to just run once.
According to the company, in their "attack scenario, the PowerShell command will execute a Meterpreter payload."
Cybereason successfully obtained administrative access to the compromised system by running Notepad++ as "administrator" and re-running the payload. Static analysis methods were able to extract signs such as the binary's architecture, compilation time, and programming language.
As a preventive measure, the Cybereason GSOC advises turning on the Detect and Prevent modes of the Anti-Malware feature on the Cybereason NGAV. Furthermore, security experts advised businesses to keep an eye on Notepad++'s odd child processes and pay attention to shell content kinds to mitigate the hazard.
