“Why are you coming out from there?” A malicious code package (WikiLoader) that has been tampered with the Notepad++ plugin.

  • AhnLab Security Intelligence Center (ASEC) has recently confirmed that the default plugin “mimeTools.dll” in Notepad++ has been tampered with and distributed.
  • The malicious mimeTools.dll file disguises itself as a legitimate package file by being included in a specific version of the Notepad++ package installation file.
  • mimeTools is a module that performs encoding functions such as Base64, and it is included by default without the need for users to add it separately.
  • Since mimeTools.dll is a default plugin of Notepad++, it is automatically loaded when Notepad++ is executed.
  • The attacker exploited this and used a DLL hijacking technique, causing the malicious code to execute even if the user only launched notepad++.exe.
  • The attacker encrypted a malicious shell in mimeTools.dll.

https://asec.ahnlab.com/ko/63738/

No tags for this post.