More generally, plugins are often exploited as attack vectors by malicious actors. To mitigate this threat, the security experts said companies should monitor unusual child processes of Notepad++ and pay special attention to shell product types.įor more information about the attack scenario, the original Cybereason advisory is available at this link. “In our attack scenario, the PowerShell command will execute a Meterpreter payload,” the company wrote.Ĭybereason then ran Notepad++ as ‘administrator’ and re–ran the payload, effectively managing to achieve administrative privileges on the affected system. Notepad++ 7 - 64 bits Notepad++ 6.9 Notepad++ 6.8.7 Black Friday Discount Notepad++ 6.7.4 - Je suis Charlie edition Notepad++ 666 Notepad++ 6.6.4 - Tiananmen June Fourth Incident Edition Download Notepad++ v6.2. I tried the Option 1 with using the following Batch command : npp.7.6.2.Installer.exe /S /DProgramData\Notepad++\ ping localhost -n 10 xcopy allowAppDataPlugins.xml ProgramData\Notepad++ /Y /I xcopy ProgramData\Notepad++ /Y /I xcopy PluginManager. Using the C# programming language, the security experts created a dynamic link library (DLL) running a PowerShell command on the first initial press of any key inside Notepad++. In their advisory, the Cybereason team analyzed the Notepad++ plugin loading mechanism and drafted an attack scenario based on this vector.
“This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.” “The APT group StrongPity is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine,” the Cybereason advisory reads. However, advanced persistent threat (APT) groups have leveraged Notepad++ plugins for nefarious purposes in the past. At one point, I had a command prompt window inside Notepad++, document map enabled, input decks as heavy as hundreds of MBs, and code folding was unbearably slow. NET package for Visual Studio that provides a basic template for building plugins. That said, as I recommended in one of the links you posted, gVim is pretty good at handling large files and Notepad++ is NOT.
“Using an open–source project, Notepad++ Plugin Pack, a security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” the company wrote in an advisory on Wednesday. Threat actors may abuse Notepad++ plugins to circumvent security mechanisms and achieve persistence on their victim machine, new research from security company Cybereason suggests.