SENTINELONE DETECTS NEW MALICIOUS PDF FILE
Documents have always been a popular attack vector. Documents, unlike executables, have been traditionally considered less suspicious and harmful. This concept made it easier for attackers using them to circumvent traditional security solutions. But, overtime and with the growing scripting and macro capabilities, documents became much more similar to executables, in a sense that they could run code, create processes and more. Recently, a new malicious PDF file was identified by ESET and Microsoft. Though it was not observed in the wild yet, it’s pretty dangerous as it exploits two previous zero day vulnerabilities: Remote code execution in Adobe Reader (CVE-2018-4990) and Privilege Escalation in Microsoft Windows (CVE-2018-8120).
The attack is carried out in 2 phases. First, a JS code that is embedded inside the PDF runs when the PDF is opened. The JS sets up a ROP chain that leads to execution of shellcode which is also embedded inside the PDF. The exploited vulnerability is CVE-2018-4990. The second phase is focused on breaking out of Adobe Reader Sandbox. It’s done by exploiting Microsoft Windows vulnerability tagged CVE-2018-8120.
Using the Behavioral AI Engine, SentinelOne agent is capable of detecting and blocking this type of malicious documents. By closely analyzing the attack behavior and monitoring the various operating system events generated through it, the engine detects an execution of shellcode and more distinct indications for malicious behavior. Watch this demo to see how it works.
Read the full post on SentinelOne blog
Contact us here at Mobisec for more details on how SentinelOne can help you protect your organization: firstname.lastname@example.org