Adobe Creative Cloud add-on gives attackers an easy way to smuggle malware onto your device

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A Node.js executable file that comes with the Adobe Creative Cloud Experience can be used to spread malware and compromise a target computer, security researchers are saying.

Cybersecurity researcher Michael Taggart recently published a proof-of-concept JavaScript file, spawning the Windows Calculator app, with which he was able to run malicious scripts on an endpoint.

"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," Taggart said.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> <a href="https://project.tolunastart.com/s/Cy37RiA" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

False positives

"So the attack chain may look like an installer or zip file that drops [a JavaScript file], or even a macro that drops JavaScript in a user-writable directory, then invokes Adobe's own node.exe for execution."

Taking advantage of Node.js isn’t as easy as it sounds, though, as the attacker would still need access to the device through other means. That - or they would need to somehow persuade the victim into downloading and running the script. 

However, its availability makes mounting an attack, and hiding it, that much easier, the publication adds. 

"Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who said that his custom file dropper ran and executed a C2 agent without so much as a warning from Windows Defender.

Therefore, the researcher concludes, its number one use case would be running unsigned code without triggering the alarm.

Where there’s smoke - there’s bound to be a fire. Adobe users have been warning about node.exe in the past, The Register has found, as forum posts, as old as December 2021, have been warning about cybersecurity and antivirus programs flagging node.exe as a security risk.

Cybersecurity researchers usually dismissed these warnings as false positives. 

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.