A Node.js executable file that comes with the Adobe Creative Cloud Experience can be used to spread malware (opens in new tab) and compromise a target computer, security researchers are saying.
Cybersecurity researcher Michael Taggart recently published a proof-of-concept JavaScript file, spawning the Windows Calculator app, with which he was able to run malicious scripts on an endpoint (opens in new tab).
"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," Taggart said.
False positives
"So the attack chain may look like an installer or zip file that drops [a JavaScript file], or even a macro that drops JavaScript in a user-writable directory, then invokes Adobe's own node.exe for execution."
Taking advantage of Node.js isn’t as easy as it sounds, though, as the attacker would still need access to the device through other means. That - or they would need to somehow persuade the victim into downloading and running the script.
However, its availability makes mounting an attack, and hiding it, that much easier, the publication adds.
"Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who said that his custom file dropper ran and executed a C2 agent without so much as a warning from Windows Defender.
> Microsoft wants to make a potentially huge change to JavaScript (opens in new tab)
> Google cracks down on misuse of JavaScript, Python in Android apps (opens in new tab)
> GitHub launches code scanning scheme to hunt down vulnerabilities (opens in new tab)
Therefore, the researcher concludes, its number one use case would be running unsigned code without triggering the alarm.
Where there’s smoke - there’s bound to be a fire. Adobe users have been warning about node.exe in the past, The Register has found, as forum posts, as old as December 2021, have been warning about cybersecurity and antivirus programs flagging node.exe as a security risk.
Cybersecurity researchers usually dismissed these warnings as false positives.
- No cyber-premises are secure without a strong firewall (opens in new tab)
Via: The Register (opens in new tab)