“Shortly after last week’s discovery of a PDF exploit which used the method of this.getPageNumWords() & this.getPageNthWord() for obfuscation, we found another, but much more powerful exploit obfuscation technique in PDF exploits.” reads the analysis published by EdgeSpot.
“This technique uses a
The sample was detected as “exploit CVE-2013-3346” by our EdgeLogic engine, same as the previous one.”
Attackers can use specially crafted PDF documents that can bypass the detection of antimalware software.
Experts pointed out that the sample they analyzed was first seen in VirusTotal in October 2017, but last week its detection rate was still very low, only one anti-virus engine was able to detect it.
The sample used two layers of obfuscation. The first one abusing the two methods this.getIcon() and
The second one uses
There are no suspicious data can be found inside the icon file because the malicious code data is heavily obfuscated. According to the researchers, the author of the sample exploited CVE-2013-3346 vulnerability, they speculate that the same individual created another document recently spotted by the firm.
Searching on Google, EdgeSpot experts discovered that the attacker likely copied an open source project/technique called “steganography.js.”
The project was initially proposed to target browsers, but the author of the sample likely modified it to create the malicious PDF files.
“The project was developed working on browsers. We believe the person behind the PDF samples made their innovation as they successfully leveraged the technique in PDF format.” continue the experts.
“We could not find any information mentioning such technique in PDF exploits before, so we believe this is the first time that the ‘steganography’ technique is used to hide PDF exploits,”
The researchers believe that this technique is very effective and
“Just like the previous one, the “steganography” technique could not only be used to obfuscate this exploit (CVE-2013-3346) but also can be applied to many other PDF exploits including zero-days. We ask security defenders to pay close attention to it.” the experts conclude.