Search This Blog

Showing posts with label Payloads. Show all posts

Notepad++ Plugin Cyberattack Analysis

Analysts from the Cybereason GSOC team have examined a unique method that makes use of Notepad++ plugins to evade and persist against security safeguards on a computer.

This report, called Threat Analysis, is a part of a series titled "Purple Team Series" which analyzes current attack methods, how hackers use them, and how to spot when they are being utilized.

Threat Analysis Reports are published by the Cybereason Global Security Operations Center (GSOC) Team to provide information on emerging threats. These risks are examined in the Threat Analysis Reports, which also offer useful advice for defending against them.

Plugins are merely modules that are created specifically using programming languages like C# or installed from the community-maintained approved list. The %PROGRAMFILES%Notepad++plugins directory is where these plugins are kept.

Threat Analysis 

The organization stated in an advisory on Wednesday that a security researcher going by the moniker of RastaMouse successfully showed how to create a malicious plugin that can be used as a persistence mechanism using the open-source project Notepad++ Plugin Pack.

The plugin bundle alone is essentially a Visual Studio.NET package that offers a simple framework for creating plugins. However, advanced persistent threat (APT) organizations have in the past used Notepad++ plugins for evil.

According to the Cybereason advice, "The APT group StrongPity is known to exploit a genuine Notepad++ installer accompanied by malicious executables, enabling it to remain after a reboot on a PC."

The Cybereason team examined the Notepad++ plugin loading process and created an attack scenario based on it for their advisory.

A custom Notepad++ command can be activated by using the SCI ADDTEXT API in tandem with Notepad++. Researchers developed a DLL in C# that, upon pressing any key inside Notepad++ for the first time, will execute a PowerShell command.

The PowerShell command will run a Meterpreter payload in an expert attack scenario. To ensure that the availability of our C2 would not be impacted by repeated connection attempts, researchers set this to just run once.

According to the company, in their "attack scenario, the PowerShell command will execute a Meterpreter payload."

Cybereason successfully obtained administrative access to the compromised system by running Notepad++ as "administrator" and re-running the payload. Static analysis methods were able to extract signs such as the binary's architecture, compilation time, and programming language.

As a preventive measure, the Cybereason GSOC advises turning on the Detect and Prevent modes of the Anti-Malware feature on the Cybereason NGAV. Furthermore, security experts advised businesses to keep an eye on Notepad++'s odd child processes and pay attention to shell content kinds to mitigate the hazard.

Analysis of Cyberthreats Linked to Gaming Industry in 2022


In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

TA558 Malware Attacks Travel and Hospitality Services

A persistent wave of attacks on Latin American hospitality, hotel, and travel firms with the intention of planting malware on compromised systems have been attributed to a financially motivated cybercrime ring.

Proofpoint researchers are keeping tabs on a malware campaign being run by the TA558 malware gang. The organization used Loda RAT, Vjw0rm, and Revenge RAT among other malware in its attacks. 

The gang has been active at a faster rate than usual in 2022, with intrusions mostly targeted at Latin American Portuguese and Spanish speakers and to a lesser level at Western European and North American speakers.

The group uses phishing campaigns that involve sending malicious spam messages with lures that have a travel theme, like hotel reservations, that contain weaponized documents or URLs in an effort to persuade unwitting users to install trojans that can conduct reconnaissance, steal data, and distribute add-on payloads.

To download and install a variety of malware, including AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm, the assaults conducted between 2018 and 2021 made use of emails with malicious Word documents that either contained VBA macros or exploits for vulnerabilities like CVE-2017-11882 and CVE-2017-8570.

In more recent attacks, the cybercriminal organization has started distributing malware using Office documents, RAR attachments, ISO attachments, and malicious URLs. The action is in response to Microsoft's decision to make Office products' default settings for macros disabled.

According to Proofpoint, 27 of the 51 campaigns that hackers ran in 2022 made use of URLs linking to ZIP and ISO archives, compared to just five efforts from 2018 through 2021.

Since 2018, at least 15 different malware families have been employed by TA558, sometimes using the same C2 infrastructure, according to Proofpoint. To host the malware payloads, the gang uses websites that have been infiltrated by hotels.

In an effort to prevent detection and obscure the source of the attacks, the threat actor frequently changes languages within the same week.

A number of noticeable patterns are also being used by TA558 in the campaign data, including the use of specific strings, naming conventions, keywords, domains, etc. 

Malvertising Campaign Target Firefox Users via Fake Updates


Fillip Mouliatis, a Malwarebytes researcher has uncovered a malvertising campaign that is nearly identical to the one distributed by the FakeUpdates (SocGholish) attackers. 

However, the execution and distribution patterns are different. Unlike FakeUpdates which is driven by exploited websites to display malicious, fake browser update windows, this campaign employs malvertising. 

The malvertising campaign target users via a fake Firefox update that includes a couple of scripts and an encrypted payload. The initial executable consists of a loader that retrieves a piece of Adware identified as BrowserAssistant. This malicious payload was spotted before in an identical malvertising campaign involving the RIG exploit kit in late 2019. 

Interestingly, the attackers reused the same servers in Russia and dubbed their malvertising gates after different ad networks. 

In October 2020, security analyst ‘@na0_sec’ witnessed the “MakeMoney gate”, named after the domain makemoneywithus[.]work (, redirect to the Fallout exploit kit, although it usually employed RIG EK for multiple years. 

According to Malwarebytes, it is interesting that malicious actors remained faithful to RIG EK for so long during a period when exploit kits were going out of fashion. The attackers also seemed to poke fun at the same ad networks they were exploiting, unless the choice for names linked with their campaigns was motivated by sorting out their upstream traffic. 

However, this particular social engineering campaign could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up, Filip Mouliatis stated. 

Last year in December 2021, a Malvertising campaign targeted Chrome users via malicious extensions. These extensions, were manufactured to impersonate popular applications, and create backdoors in the software that malicious actors could exploit to exfiltrate personal identifiable information (PII) data.

Magnat, the authors of this malicious campaign specifically targeted users searching for popular software via search engines. Once the victim clicked on a malicious link to a fake installer, their endpoint was compromised with a password stealer called "RedLineStealer," as well as a Chrome extension known as "MagnatExtension” designed to log keystrokes and capture screenshots. 

To mitigate the risks, avoid clicking on ads promising things that seems suspicious. Only click on those ads that look like they were created by a professional graphic designer. Experts also suggest not to click on ads that have spelling errors.