A Node.js executable file that comes with the Adobe Creative Cloud Experience can be used to spread malware and compromise a target computer, security researchers are saying.
Cybersecurity researcher Michael Taggart recently published a proof-of-concept JavaScript file, spawning the Windows Calculator app, with which he was able to run malicious scripts on an endpoint.
"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," Taggart said.
False positives
"So the attack chain may look like an installer or zip file that drops [a JavaScript file], or even a macro that drops JavaScript in a user-writable directory, then invokes Adobe's own node.exe for execution."
Taking advantage of Node.js isn’t as easy as it sounds, though, as the attacker would still need access to the device through other means. That - or they would need to somehow persuade the victim into downloading and running the script.
However, its availability makes mounting an attack, and hiding it, that much easier, the publication adds.
"Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who said that his custom file dropper ran and executed a C2 agent without so much as a warning from Windows Defender.
Therefore, the researcher concludes, its number one use case would be running unsigned code without triggering the alarm.
Where there’s smoke - there’s bound to be a fire. Adobe users have been warning about node.exe in the past, The Register has found, as forum posts, as old as December 2021, have been warning about cybersecurity and antivirus programs flagging node.exe as a security risk.
Cybersecurity researchers usually dismissed these warnings as false positives.
Via: The Register