In their advisory, the Cybereason team analyzed the Notepad++ plugin loading mechanism and drafted an attack scenario based on this vector. “This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.” “The APT group StrongPity is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine,” the Cybereason advisory reads. However, advanced persistent threat (APT) groups have leveraged Notepad++ plugins for nefarious purposes in the past. NET package for Visual Studio that provides a basic template for building plugins. “Using an open–source project, Notepad++ Plugin Pack, a security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” the company wrote in an advisory on Wednesday.
Threat actors may abuse Notepad++ plugins to circumvent security mechanisms and achieve persistence on their victim machine, new research from security company Cybereason suggests.
0 kommentar(er)
