loader gif

Cybercriminals use Steganography technique to hide PDF exploits

Cybercriminals use Steganography technique to hide PDF exploits
  • A recently discovered PDF exploit used steganography technique to hide malicious JavaScript inside images which are embedded in PDF.
  • The PDF exploit obfuscation technique allows attackers to generate PDFs that can bypass detection from antivirus solutions.

Exploit detection firm EdgeSpot detected that the recently discovered PDF exploit used steganography to hide JavaScript inside images which are embedded in PDF. Researchers from EdgeSpot noted that this technique allows attackers to generate PDFs that can bypass detection from antivirus solutions.

Two obfuscation layers

A sample with file name ‘oral-b oxyjet spec.pdf’ which was submitted to VirusTotal was analyzed by EdgeSpot. The sample was detected as ‘exploit CVE-2013-3346’ by EdgeSpot reserachers. The researchers stated that the sample included two layers of obfuscation.

  • The first layer used two methods ‘this.getPageNumWords()’ and ‘this.getPageNthWord()’ to read and execute the Javascript hidden as ‘content’.
  • The second layer used steganography technique to hide the malicious code in stream-119.

PDF Javascript API

Attackers used ‘this.getIcon()’ and ‘util.iconStreamFromIcon()’ PDF JS APIs that, when working together, can read the stream of an image named as "icon" stored in the PDF file.

“By examining the above Javascript code, we figured out that the code’s function is to read and decode the ‘message’ hidden in the icon’s stream. Once it read the ‘message’ successfully, it will execute the ‘message’ as Javascript code, via ‘eval(msg)’. The icon stream named ‘icon’ in the object-131 could be saved as a ‘jpg’ file and viewed in image viewer without a problem,” EdgeSpot explained in a blog.

EdgeSpot researchers noted that attackers likely copied a technique called steganography which is open sourced and used this technique for the first time to hide PDF exploit.

“We were impressed by this technique, which is perfect for malicious code obfuscation for PDF exploits. By using this technique, all streams look normal, all images are viewable, everything looks legitimate. This can probably explain why almost all AV engines missed it,” EdgeSpot said.

EdgeSpot noted that this steganography technique could not only be used to obfuscate this PDF exploit (CVE-2013-3346) but could also be applied to many other PDF exploits including zero-days.

loader gif