Spartan Posted April 4, 2024 Report Posted April 4, 2024 The AhnLab Security Intelligence Center (ASEC) has detected a sophisticated cyberattack targeting users of the popular text and code editor, Notepad++. Hackers have successfully manipulated a default plugin within the Notepad++ package, potentially compromising the security of countless systems. The plugin in question, “mimeTools.dll,” is a standard component of Notepad++ that provides encoding functionalities, such as Base64. It is automatically included and loaded when Notepad++ is run, which the attackers have exploited to their advantage. By altering the mimeTools.dll file, they disguised the malicious code as a legitimate part of the Notepad++ package. Malicious vs Official Package This type of attack, known as DLL Hijacking, takes advantage of the plugin’s automatic loading to execute the embedded malicious code without the user Attack Flow Launching the Notepad++.exe file triggers the loading of the compromised mimeTools.dll, activating the hidden malware. The attackers have embedded encrypted malicious shell code within the mimeTools.dll and the code necessary to decrypt and execute it. ASEC’s investigation revealed that the file named “certificate.pem” within the altered package contains the malicious shell code. Despite the infection, the plugin’s original functionalities remain intact, with only the DllEntryPoint showing altered code. This means that the malicious activities begin when the DLL is loaded, regardless of whether the user attempts to use any specific plugin feature. The execution flow of the malware is as follows: upon running Notepad++, the infected mimeTools.dll is loaded, which then decrypts and executes the shell code from the certificate.pem file. Subsequent stages of the attack involve further decryption and execution of additional shell code, facilitated by communication with a command and control (C2) server. The C2 server, initially disguised as a Wiki site—giving rise to the malware’s nickname “WikiLoader“—has since been found to display a WordPress login page. At the time of analysis, the additional shell code at the specified offset in the C2 server’s response was empty. However, the potential for further malicious activities remains a significant concern. The URLs of the C2 server are still accessible, indicating that the threat actors could update the payload or change their tactics anytime. The discovery of this malware serves as a stark reminder of the importance of downloading software exclusively from official distribution sites. Users are urged to exercise extreme caution when dealing with cracked versions or software from unknown sources. ASEC has provided the following indicators of compromise (IoCs) for users to check their systems: MD5 hashes of the compromised package files and individual components. The URLs of the C2 server involved in the attack. The security community is actively working to address this threat, and users of Notepad++ are strongly advised to verify their installations’ integrity and update their software from the official Notepad++ website. It is also recommended that a complete system scan be run using a reputable antivirus program to ensure no remnants of the malware remain. This incident underscores the ever-evolving nature of cyber threats and the need for constant vigilance in the digital age. Users and organizations must stay informed and adopt robust security practices to protect against such insidious attacks. Quote
dasari4kntr Posted April 4, 2024 Report Posted April 4, 2024 mac lo ee notepad++ available ledu… i think this is only for windows users… Quote
Spartan Posted April 4, 2024 Author Report Posted April 4, 2024 1 minute ago, dasari4kntr said: mac lo ee notepad++ available ledu… i think this is only for windows users… mac ki sublime text super Quote
dasari4kntr Posted April 4, 2024 Report Posted April 4, 2024 5 minutes ago, Spartan said: mac ki sublime text super license kavali kada daaniki… Quote
Spartan Posted April 4, 2024 Author Report Posted April 4, 2024 Just now, dasari4kntr said: license kavali kada daaniki… free for personal use 1 Quote
yemdoing Posted April 4, 2024 Report Posted April 4, 2024 10 minutes ago, Spartan said: mac ki sublime text super Notepad++ is far superior to sublime . Quote
Popular Post yemdoing Posted April 4, 2024 Popular Post Report Posted April 4, 2024 12 minutes ago, dasari4kntr said: mac lo ee notepad++ available ledu… i think this is only for windows users… Mac user ani subtle ga cutting kotting kada 4 1 Quote
Spartan Posted April 4, 2024 Author Report Posted April 4, 2024 1 minute ago, yemdoing said: Notepad++ is far superior to sublime . windows lo unnapude ade vade vadini Quote
dasari4kntr Posted April 4, 2024 Report Posted April 4, 2024 Just now, yemdoing said: Mac user ani subtle ga cutting kotting kada ledu…i searched it for notepad++ in mac…there is no option…. so i am using vscode for simple things also… Quote
AvramFaind Posted July 5, 2024 Report Posted July 5, 2024 I came across that article about the Notepad++ plugin getting hacked—it's alarming. Notepad++ has been my go-to for ages, so it's unsettling to hear about security issues like this. I checked out https://notesonline.com/notepad , and they break down what went down and how to stay safe. It's a reminder to stay on top of updates and maybe even think twice about the plugins we install, even if they're from trusted sources. Have you looked into any additional security measures for your setup? Quote
Sucker Posted July 5, 2024 Report Posted July 5, 2024 Dheenamma naa passwords anni Lappy to hard drive last week ne updated vunnaya ledha compare chesa kadha notepad++ la. Yem halath ayyipoyindhi ra I la daily passwords change cheyyala Quote
TeluguTexas Posted July 5, 2024 Report Posted July 5, 2024 2 hours ago, Sucker said: Dheenamma naa passwords anni Lappy to hard drive last week ne updated vunnaya ledha compare chesa kadha notepad++ la. Yem halath ayyipoyindhi ra I la daily passwords change cheyyala Hornhub dhi first change cheyusko ne details hack cheysi d**k photo petti evatho dhani gokke lope buhahaha Quote
Popular Post Konebhar6 Posted July 5, 2024 Popular Post Report Posted July 5, 2024 13 hours ago, Sucker said: Dheenamma naa passwords anni Lappy to hard drive last week ne updated vunnaya ledha compare chesa kadha notepad++ la. Yem halath ayyipoyindhi ra I la daily passwords change cheyyala Its not very secure .. Write passwords on a paper .. post here in DB. Whenever you need the password someone will give you ... Evaru misuse chayaru ... Guarantee mee guruvu @r2d2 di 3 Quote
AverageDesiGuy Posted July 7, 2024 Report Posted July 7, 2024 On 7/4/2024 at 10:14 PM, AvramFaind said: I came across that article about the Notepad++ plugin getting hacked—it's alarming. Notepad++ has been my go-to for ages, so it's unsettling to hear about security issues like this. Botaa? Quote
jefferson1 Posted July 7, 2024 Report Posted July 7, 2024 On 4/4/2024 at 2:52 PM, dasari4kntr said: mac lo ee notepad++ available ledu… i think this is only for windows users… notepad++ can be installed on mac (not directly). i installed it and its working. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.