- AhnLab Security Intelligence Center (ASEC) has recently confirmed that the default plugin “mimeTools.dll” in Notepad++ has been tampered with and distributed.
- The malicious mimeTools.dll file disguises itself as a legitimate package file by being included in a specific version of the Notepad++ package installation file.
- mimeTools is a module that performs encoding functions such as Base64, and it is included by default without the need for users to add it separately.
- Since mimeTools.dll is a default plugin of Notepad++, it is automatically loaded when Notepad++ is executed.
- The attacker exploited this and used a DLL hijacking technique, causing the malicious code to execute even if the user only launched notepad++.exe.
- The attacker encrypted a malicious shell in mimeTools.dll.
https://asec.ahnlab.com/ko/63738/
No tags for this post.