Pierluigi Paganini January 27, 2019

Experts discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files.

The exploit analysis firm EdgeSpot recently discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files.

“Shortly after last week’s discovery of a PDF exploit which used the method of this.getPageNumWords() & this.getPageNthWord() for obfuscation, we found another, but much more powerful exploit obfuscation technique in PDF exploits.” reads the analysis published by EdgeSpot.

“This technique uses a so-called “steganography” method to hide malicious Javascript code in images embedded in PDF files, it is so powerful as it could bypass almost all AV engines.
The sample was detected as “exploit CVE-2013-3346” by our EdgeLogic engine, same as the previous one.”

Attackers can use specially crafted PDF documents that can bypass the detection of antimalware software.  

Experts pointed out that the sample they analyzed was first seen in VirusTotal in October 2017, but last week its detection rate was still very low, only one anti-virus engine was able to detect it.

The sample used two layers of obfuscation. The first one abusing the two methods this.getIcon() and util.iconStreamFromIcon() to read and execute the JavaScript that was hidden in an image named as “icon” in the PDF.

The second one uses steganography to hide the code in stream-119. 

Experts discovered that a “message” hidden in the icon’s stream was read and decoded, then it is executed as Javascript code, via “eval(msg)“.
There are no suspicious data can be found inside the icon file because the malicious code data is heavily obfuscated. According to the researchers, the author of the sample exploited CVE-2013-3346 vulnerability, they speculate that the same individual created another document recently spotted by the firm.

Searching on Google, EdgeSpot experts discovered that the attacker likely copied an open source project/technique called “steganography.js.”

The project was initially proposed to target browsers, but the author of the sample likely modified it to create the malicious PDF files.

“The project was developed working on browsers. We believe the person behind the PDF samples made their innovation as they successfully leveraged the technique in PDF format.” continue the experts. 

“We could not find any information mentioning such technique in PDF exploits before, so we believe this is the first time that the ‘steganography’ technique is used to hide PDF exploits,” 

The researchers believe that this technique is very effective and were impressed by its efficiency, using it all streams appear as harmless.

“Just like the previous one, the “steganography” technique could not only be used to obfuscate this exploit (CVE-2013-3346) but also can be applied to many other PDF exploits including zero-days. We ask security defenders to pay close attention to it.” the experts conclude.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2013-3346)

[adrotate banner=”5″] [adrotate banner=”13″]