New exploit leveraging flaws in Adobe Reader and Microsoft Windows illustrates the increasing sophistication of malware development techniques
Hackers have bundled together a malware sample that bundles two previously unseen vulnerabilities.
Though it fails to pack a punch, the combo threat illustrates the increasing sophistication of malware development techniques.
The malicious PDF sample, recently intercepted by security researchers at ESET, omits any payload. Indications are that it leaked early, possibly by accident.
The sample harnesses two previously unknown bugs: a remote code execution vulnerability in Adobe Reader and a privilege escalation flaw in Microsoft Windows.
ESET reported the underlying bugs to Adobe and Microsoft. Both firms have fixed the respective vulnerabilities in their products, allowing the security firm to go public with its findings.
Such tandem threat approaches are rare but not unprecedented. For example, the Sednit hacking group (also known as ‘APT 28’, elsewhere identified as a unit of Russia GRU military intelligence) ran a combined vulnerability attack last year.
Run correctly, the tactic offers a way to plant malware on targeted machines with only minimal – if any – user interaction involved.
Caught in the early stages
ESET detects the recent combo malicious code as the JS/Exploit.Pdfka.QNV trojan.
The malicious PDF sample embeds JavaScript code that controls the exploitation process. Once the PDF file is opened, the malicious JavaScript code is executed that exploits a double-free vulnerability in Adobe Reader.
This trickery bypasses the sandbox protection built into Adobe Reader before other malicious code built into the same malicious sample is used to exploit a privilege escalation flaw in Microsoft Windows.
The sample does not contain a final payload, which may suggest that it was caught during its early development stages.
ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples, likely as a result of a mistake by malware developers.
Even though the sample is inert, it does illustrate a high level of skills in vulnerability discovery and exploit writing. It also illustrates why caution needs to be exercised when opening PDF files.
“PDFs are routinely opened without a second thought as a matter of course, and they’re a particular threat to sensitive business areas such as finance or HR where PDFs are incredibly common,” Chris Boyd, a malware analyst at Malwarebytes told The Daily Swig.
“Even in cases where the PDF isn’t malicious, we see them used as launchpads for phishing attacks, directing victims to fake landing pages via ‘PDF not supported’ messages.”
“They’re definitely one of the best ways for an attacker to carve their way inside an organization,” he concluded.