Security firm Cybereason have suggested that threat actors could exploit Notepad++ plugins to get around security mechanisms and achieve persistence on the victim’s machine. Security researcher by the name RastaMouse was able to provide a demonstration showing how a malicious plugin could be used as a persistence mechanism. Cybereason released an advisory pertaining to the vulnerability on Wednesday. This is not the first time that advanced persistent threat groups have used Notepad++ plugins to conduct attacks and other nefarious activity.
In particular, the APT group StrongPity has been known to leverage a legitimate installer for Notepad++ alongside malicious executables. The combination of these two techniques allow the attackers to persist after reboot on a machine. In addition, it enables the attacker to install a keylogger on the machine and steal passwords and other information. Cybereason analyzed the plugin loading mechanism based on these prior attacks. The security firm stated that companies should monitor the unusual processes of Notepad++ and pay particular attention to shell product types to mitigate the risks posed by this vulnerability.
Read More: Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence