Cybereason GSOC team analysts have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine. Following this introduction, we describe in detail how to reproduce this attack and implement detection and prevention mechanisms.
This particular Threat Analysis report is part of a series named “Purple Team Series” covering widely used attack techniques, how threat actors are leveraging them and how to detect their use.
The Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.
The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Notepad++ is a very popular Notepad replacement and code editor created and maintained by Don Ho. This application supports multiple coding languages as well as plugins that automate a number of IT and development related tasks.
Plugins are simply modules that can be installed from the approved list that is maintained by the community or custom built using languages such as C#. These plugins are stored in the %PROGRAMFILES%\Notepad++\plugins\ directory.
Using an open-source project, Notepad++ Plugin Pack, a security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism. The plugin pack is a .NET package for Visual Studio that provides a basic template for building plugins:
Notepad++ Plugin Pack Template
Threat actors can use this technique to circumvent security mechanisms and achieve persistence on their victim machine.
The APT group StrongPity is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine. This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.
The StrongPity APT group (also known as APT-C-41 and PROMETHIUM) was first observed in 2012 and employs the same tactics as the one described above, namely adding backdoors to legitimate software used by specific users:
In this section, we analyzed Notepad++ plugin loading mechanism and drafted an attack scenario based on this vector. You can find a video of the attack scenario, available below:
The SCI_ADDTEXT API can be abused to trigger a custom Notepad++ command when a key is typed inside of Notepad++. Using C#, we created a DLL that will run a PowerShell command on the first, initial press of any key inside of Notepad++.
In our attack scenario, the PowerShell command will execute a Meterpreter payload. We set this to only run once to ensure our C2’s availability would not be affected due to multiple connection attempts:
PowerShell command embedded in malicious DLL
* Note - Our Meterpreter shell will inherit the permissions of the user who launched Notepad++. In the event the victim opens the application as an administrator, (ex - they are making changes to the Host file) our shell will have those same privileges.
Using local administrator privileges, we dropped the compiled DLL into the appropriate folder:
Malicious DLL dropped into the plugin directory
As expected, when Notepad++ loaded and a single letter was typed, PowerShell executed and our Meterpreter session was established:
(Victim’s view) PowerShell executing the configured malicious payload once a key was typed
(Attacker’s view) Established Meterpreter session
(Attacker’s view) Shell commands from Meterpreter session
To test for and demonstrate the behavior difference with the inherited permissions, we attempted to run the GetSystem module in our Meterpreter session that was executed as a regular user:
(Attacker’s view) Privilege escalation attempt failed under regular user permissions
Next, we ran Notepad++ as ‘administrator’ and re-ran the payload. We were able to escalate to SYSTEM this time through the GetSystem module:
(Attacker’s view) Successfully escalated to SYSTEM
A MalOp was created due to the Meterpreter payload. When we ran the ‘shell’ module in Metasploit, it created a child process of cmd.exe with additional child processes created for whoami.exe and calc.exe. Network connections from PowerShell to our command and control server are visible as well:
(Defender’s view) Process tree as seen in the Cybereason Defense Platform - Our loaded module created child process of PowerShell.exe
When searching for the loaded modules in the notepad++.exe process, we are able to identify the malicious DLL that was loaded:
(Defender’s view) Searching for loaded malicious module by name
No other useful file metadata or indicators were observed that could help detect this attack.
Static analysis tools were able to pull indicators such as compile time, architecture, and programming language used to build the binary:
Compilation timestamp
64-bit architecture
Microsoft .NET executable written in C#
As this is a C#/.NET binary, standard static analysis tools that would be used for C/C++ binaries will be unable to pull references to the functions used specific to the plugin pack or the embedded PowerShell command. C#/.NET binaries compile down to what is called Microsoft Intermediate Language (MSIL).
The metadata contained inside the code allows us to decompile this executable using DNSpy. We were able to decompile the binary almost completely back to source, allowing us to extract Indicators of Compromise (IOCs) such as the Command & Control (C2) IP addresses inside of the Base64 encoded PowerShell command:
Decompiled source code
PowerShell command after decoding the Base64 in Cyberchef
The Cybereason GSOC recommends the following:
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
|
Executables |
Npp_Persistence_Plugin.dll - SHA256: 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF |
Derrick Masters, Principal Security Analyst, Cybereason Global SOC
Derrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat hunting and purple teaming. Derrick's professional certifications include GCFA, GCDA, GPEN, GPYC, and GSEC.
Loïc Castel, Principal Security Analyst, Cybereason Global SOC
Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
This Threat Analysis Report explores widely used DLL Side-Loading attack techniques, outlines how threat actors leverage these techniques, describes how to reproduce an attack, and reports on how defenders can detect and prevent these attacks...
This research zeroes in on the Winnti malware arsenal and includes analysis of the observed malware and the complex Winnti infection chain, including evasive maneuvers and stealth techniques that are baked-in to the malware code...
