<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Does Acrobat Reader Unload Injection of Security Products?

Since March of 2022 we’ve seen a gradual uptick in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded into it by acquiring a handle of the DLL. The significant rise over the recent months caught our attention as it is very unusual behavior for Adobe. 

The requests originated from libcef.dll (a Chromium Embedded Framework (CEF) Dynamic Link Library which is used by many programs) which was indeed updated in March 2022.  

 

Inside this DLL you can find a long list of hardcoded DLL names: 

Capture1 (1)Figure 1. Partial Hard-Coded DLL list - Libcef.dll

 

The full list can be found at the end of the post. 

The basic documentation for the Chromium DLL contains a short list of DLLs that have been blacklisted by them for causing conflictions. 

Picture2Figure 2. Hardcoded blacklist by Chromium

 

However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of the following security products: 

  1. Trend Micro
  2. BitDefender  
  3. AVAST  
  4. F-Secure 
  5. McAfee 
  6. 360 Security 
  7. Citrix 
  8. Symantec 
  9. Morphisec 
  10. Malwarebytes 
  11. Checkpoint 
  12. Ahnlab 
  13. Cylance 
  14. Sophos 
  15. CyberArk 
  16. Citrix 
  17. BullGuard 
  18. Panda Security 
  19. Fortinet 
  20. Emsisoft 
  21. ESET 
  22. K7 TotalSecurity 
  23. Kaspersky 
  24. AVG 
  25. CMC Internet Security 
  26. Samsung Smart Security ESCORT 
  27. Moon Secure 
  28. NOD32 
  29. PC Matic 
  30. SentryBay 

The Libcef.dll loading process

Libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe. Both these files are “handling multiple integral aspects of the application, such as network interaction and Document Cloud services (Fill and Sign, Send for Signature, Share for View/Review, and so on)”. As both use the same DLL, we found that both of them check for the security products mentioned above.  

To better understand what happens to the injected DLL, we took a deeper dive into some parts of the Chromium embedded framework DLL source code.  

It appears that a registry key is used to determine whether or not to check for the injected DLLs. In Adobe Reader’s case it is “SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\bBlockDllInjection”. The registry key is created in the first run of Adobe Reader and is set by default to ‘0’. The key is usually located in the HKEY_CURRENT_USER registry hive, which is accessible and editable by the user, which means anyone can change the key. WhenbBlockDllInjection” is set to ‘1’, libcef.dll will perform a loaded DLL check.

With the registry key name bBlockDllInjection, and looking at the cef documentation, we can assume that the the blacklisted DLLs are designated to be unloaded. We also found a post on the Citrix blog a few months ago, in which they mention: "Adobe suggested to disable DLL-injection for Acrobat and Reader. You need .. the newest version for this. Adobe had a lot of trouble with DLL injection from some AV vendors."

 

It is worth mentioning that this key is set after every Acrobat Reader execution. We spotted that in most cases it is set by default to ‘0’. However, in other, rare cases it is set to ‘1’. The default value, we assume, is affected by the endpoint environment, version of Acrobat, and other local environmental properties. 

 

The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes. Actions performed by the Adobe processes and processes created by it would essentially be much harder to monitor, as will be determining context. It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing.  

We contacted Adobe for comment, and they answered that this is due to “incompatibility with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues” 

Implications of findings 

It would appear that what is effectively happening here is that a very wide-spread legitimate software is checking if there are any security products in the environment and perhaps even blocking them from injecting into the process. This behavior is all too common among evasive malicious software in order to stay “under the radar” and execute their malicious attack only when they’ve determined that they won’t be caught. The most devastating attacks start by scanning the environment in order to ensure they can get a strong foothold in the network. 

We were initially concerned that this could be the start of a supply chain attack. This is the biggest concern with this kind of behavior and is exactly how large-scale attacks like the Solar Winds attack started, where the software suddenly started behaving differently than usual and making seemingly unnecessary and suspicious queries. This however does not seem to be the case in this instance.

It would appear that Adobe has chosen an approach which solves an immediate compatibility issue, but could create new issues from a security perspective. Instead of directly mitigating compatibility issues with security software, our opinion is that they are trying to mitigate these issues by simply preventing the interfering software from affecting the process, even if it is a security process designated to protect the system from malicious attack.

This to us, is a prime example of a large enterprise company with a multi-million strong install-base prioritizing convenience and essentially inserting malware-like behavior into their software instead of working to actually solve the issue at hand. This type of behavior essentially legitimizes suspicious behavior and creates “noise” which makes it more difficult to differentiate between bad actors and companies who don't prioritize ensuring their software doesn’t appear malicious. This type of behavior should be mitigated, as if it becomes mainstream, it could make it all too easy for malicious software to easily query and identify whether or not they are located in an environment in which they can be detected. 

Enterprises need to take responsibility for how they build their software and the implications it can have on the community as a whole. 

 

Minerva Armor blocks this type of malicious behavior 

We were able to detect this suspicious behavior as Minerva Armor’s Hostile Environment Simulation controls how software perceives its environment and not only intercepts all queries that are made to the OS, but also controls the answers that are given to the process. In this particular case, had the process been malicious, Minerva Armor would have answered that all the security tools in the query were indeed running, regardless of whether they really were, making the malicious software think it was in danger of being detected. Providing just one answer that the malware doesn't want to hear is often enough to break the execution logic and and cause it to shut down. 

Picture1Figure 3 - One of the many security tool query events triggered by Abode Acrobat on Minerva Armor

 

Full list of DLL queries:

 

TmUmEvt.dll 

zbrcom32.dll 

touchoph.dll 

psnmvcomm64.dll 

tmmon.dll 

vh.dll 

touchoph64.dll 

psnmvhookplg64.dll 

TmUmEvt64.dll 

vh64.dll 

eplgie.dll 

boshiamytip.dll 

tmmon64.dll 

cymemdef.dllcymemdef64.dll 

ismcfilehook86.dll 

bushell.dll 

atcuf32.dll 

dellinc.alienwaresoundcent 

cdakeymonitor.dll 

efacli.dll 

avcuf32.dll 

ahimicosd.dll 

cdakeymonitor64.dll 

efacli64.dll 

bdhkm32.dll 

viewh.dll 

icfhklib.dll 

memshellhook.dll 

bdhkm64.dll 

viewh64.dll 

k7oeplgn.dll 

k_fps32.dll 

gemmauf32.dll 

64hooks.dll 

k7crvr.dll 

k_fps64.dll 

gemmauf64.dll 

pdivx32.dll 

k7crvr64.dll 

cbfsconnectnetrdr207.dll 

aswhook.dll 

pggNT.dll 

astmc.dll 

dellinc.alienwaresoundcen 

fshook32.dll 

phooks.dll 

astmcuser.dll 

nahimicosd.dll 

fshook64.dll 

rndlpepperbrowserrecordhel 

hookpcfilterfo.dll 

productinfo.dll 

snxhk.dll 

rpchromebrowserrecordhelpe 

hookpcfilterfo64.dll 

nviewh.dll 

snxhk64.dll 

smum32.dll 

hydradmh.dll 

nviewh64.dll 

dpofeedb.dll 

smumhook.dll 

hydradmh64.dll 

a2hooks32.dll 

epmpapi.dll 

ssldivx.dll 

ssohook.dll 

a2hooks64.dll 

epmpthe.dll 

syncor.dll 

ssohook64.dll 

ss3devprops.dll 

hiphandlers.dll 

systools.dll 

bhohook.dll 

slagent.dll 

hiphandlers64.dll 

tfwah.dll 

bhohook64.dll 

antiexploitcore.dll 

rooksbas.dll 

wblind.dll 

jhohook.dll 

antiexploitcore64.dll 

rooksbas_x64.dll 

wbhelp.dll 

jhohook64.dll 

appenablerhook.dll 

safewrapper32.dll 

windowsapihookdll32.dll 

adialhk.dll 

vscbthdlr.dll 

safewrapper64.dll 

windowsapihookdll64.dll 

acpiz.dll 

flexhook32.dll 

safemon.dll 

winstylerthemehelper.dll 

activedetect32.dll 

flexhook64.dll 

safemon64.dll 

hookterminateapis.dll 

activedetect64.dll 

ss32.dll 

libzdtp.dll 

hookprintapis.dll 

airfoilinject3.dll 

atok3tip.dll 

libzdtp64.dll 

imon.dll 

akinsofthook32.dll 

psnmvhookms64.dll 

mfaphook.dll 

icatcdll.dll 

assistant_x64.dll 

psnmvtools64.dll 

mfaphook64.dll 

icdcnl.dll 

atcuf64.dll 

rndlpepperbrowserrecordhe 

ctxmfplugin.dll 

ioloHL.dll 

avcuf64.dll 

rpchromebrowserrecordhelp 

ctxmfplugin64.dll 

kloehk.dll 

avgrsstx.dll 

r3hook.dll 

ctxgraphicshelper.dll 

lawenforcer.dll 

babylonchromepi.dll 

sahook.dll 

ctxgraphicshelper64.dll 

libdivx.dll 

btkeyind.dll 

sbrige.dll 

mmhook.dll 

lvprcinj0.dll 

cmcsyshk.dll 

sc2hook.dll 

mmhook64.dll 

madchook.dll 

cmsetac.dll 

sdhook32.dll 

sfrhook.dll 

mdnsnsp.dll 

cooliris.dll 

sguard.dll 

sfrhook64.dll 

mdnsnsp64.dll 

cplushook.dll 

mlsah64.dll 

clpbm.dll 

moonsysh.dll 

dockshellhook.dll 

rooksdol.dll 

wmchook7.dll 

mpk.dll 

easyhook32.dll 

supershieldhookcpy32.dll 

wmchook.dll 

n64hooks.dll 

easyhook64.dll 

supershieldhookcpy64.dll 

wmchook64.dll 

npdivx32.dll 

esspd.dll 

cyntfmihyblxa.dll 

psnmvhookms32.dll 

npggNT.des 

googledesktopnetwork3.dll 

cyknphdojqhqz.dll 

psnmvtools32.dll 

npggNT.dll 

fwhook.dll 

screensplitterhook.dll 

psnmvcomm32.dll 

nphooks.dll 

guard64.dll 

apihookmanager64.dll 

psnmvhookplg32.dll 

oawatch.dll 

hookprocesscreation.dll 

audiodevprops2.dll 

protector32.dll 

pastali32.dll 

wchook.dll 

zvfort32.dll 

protector64.dll 

pavhook.dll 

fullscreenhook.dll 

zvfort64.dll 

onedrivesynchook.dll 

pavlsphook.dll 

fullscreenhook64.dll 

exploitprotection.dll 

onedrivesynchook64.dll 

pavshook.dll 

shellhook.dll 

exploitprotection64.dll 

idmmkb.dll 

pavshookwow.dll 

shellhook64.dll 

cymemdef.dllcymemdef64.dl 

cpmsi.dll 

pctavhook.dll 

scardhook.dll 

agact.dll 

cpadvai.dll 

pctgmhk.dll 

scardhook64.dll 

clpbm64.dll 

cpadvai64.dll 

picrmi32.dll 

twnhook.dll 

prntm.dll 

cpwinet.dllcpcrypt.dll 

picrmi64.dll 

twnhook64.dll 

prntm64.dll 

cpcrypt64.dll 

prntrack.dll 

bgagent.dll 

mlsah32.dll 

cpwinet.dll 

prochook.dll 

btmmhook.dll 

rlhook.dll 

astmc32.dll 

protector.dll 

fcagdimp.dll 

manualnewword.dll 

dokowhel.dll 

radhslib.dll 

arelliaacssehook32.dll 

fcagcbh32.dll 

fcagpph32.dll 

radprlib.dll 

arelliaacssehook64.dll 

epclient32.dll 

fcagpph64.dll 

rapportnikko.dll 

ashshell.dll 

epclient64.dll 

mbae.dll 

mbae64.dll 

tenxwguard32.dll 

tenxwguard64.dll 

antex_iswwh.dll 

antex_dll.dll 

nzbrcom32.dll 

cylancememdef.dll 

cylancememdef64.dll 

pghook.dll 

skyprint.dll 

logcmdhook64.dll 

swi_ifslsp.dll 

uvh.dll 

skyprint64.dll 

saveushk.dll 

swi_ifslsp_64.dll 

uvh64.dll 

logcmdhook.dll 

saveushk64.dll 

logpostdetector.dll 

mloghook.dll 

logftp.dll 

logcdwritehook.dll 

logpostdetector64.dll 

mloghook64.dll 

logftp64.dll 

logcdwritehook64.dll 

sfdp_detours32.dll 

sfdp_detours64.dll 

jwdsrch.dll 

 

 

Resources: 

https://chromium.googlesource.com/chromium/src/+/fc2a68691965e47dfbaef43bdd88a95d044941ac/chrome/chrome_elf/third_party_dlls/hardcoded_blocklist.cc#20 

Interested in seeing how Minerva blocks these types of queries? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all