Security researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a worrying attack targeting users of the popular text editor Notepad++. Hackers have infiltrated a widely used plugin and injected malicious code that compromises systems when users launch the program.

The Stealthy Attacker

The compromised plugin is called "mimeTools.dll," a standard component of Notepad++ known for encoding functionalities. This seemingly ordinary file masked the hackers' true intentions. The malicious version disguised itself as a legitimate software package, tricking users into unknowingly downloading and installing it.

Once installed, the malware leverages a technique called DLL Hijacking. When a user opens Notepad++, the program automatically loads "mimeTools.dll." The attackers exploited this by embedding malicious code within the compromised plugin. This code activates silently in the background without any user knowledge or action.

Deceptive Design

The attackers took extra steps to conceal their activity. While the malicious code resided within "mimeTools.dll," the plugin's original functionalities remained seemingly intact. The only alteration was to a specific code section, ensuring the malware launched unnoticed alongside Notepad++.

The Malicious Chain Reaction

The attack unfolds in stages. First, a user launches Notepad++, triggering the automatic loading of the compromised "mimeTools.dll" file. This DLL houses a hidden "certificate.pem" file containing encrypted malicious code. Upon loading, the code decrypts and initiates the eigentliche attack, putting the user's system at risk.

It's crucial for Notepad++ users to stay vigilant. Download plugins only from the official source and avoid untrusted websites. Additionally, consider using antivirus software that detects and blocks DLL Hijacking attempts.