{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-replacement/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Adobe Acrobat Reader"],"_cs_severities":["low"],"_cs_tags":["persistence","adobe","file-replacement"],"_cs_type":"advisory","_cs_vendors":["Adobe"],"content_html":"\u003cp\u003eThis threat focuses on the potential hijacking of Adobe Acrobat Reader by replacing its \u003ccode\u003eRdrCEF.exe\u003c/code\u003e executable with a malicious file. This technique allows attackers to establish persistence on a compromised system. When a user launches Adobe Acrobat Reader, the replaced \u003ccode\u003eRdrCEF.exe\u003c/code\u003e is executed, granting the attacker continued access. This is a potential persistence mechanism which could allow for the deployment of malware, exfiltration of data, or further compromise of the system. The original detection rule was created in February 2020 and has been updated multiple times with the last update on April 7, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through exploiting a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file within the Adobe Acrobat Reader installation directory (e.g., \u003ccode\u003eC:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the legitimate \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file with a malicious executable. This could involve renaming the original file and placing the malicious file in its place, or overwriting the original file directly.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious executable has the same name as the original \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eA user launches Adobe Acrobat Reader.\u003c/li\u003e\n\u003cli\u003eThe operating system executes the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file as part of Adobe Acrobat Reader's startup process.\u003c/li\u003e\n\u003cli\u003eBecause the file has been replaced with a malicious executable, the attacker's code is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system and can perform further actions such as deploying malware or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique allows attackers to maintain persistence on compromised systems. This can lead to the deployment of ransomware, exfiltration of sensitive data, or further exploitation of the system. The severity is low, but impact can be high, if the adversary uses this technique to gain further access to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Adobe Acrobat Reader Hijack for Persistence\u0026quot; to your SIEM to detect the replacement of the RdrCEF.exe file.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the Adobe Acrobat Reader installation directories for suspicious executables using Sysmon or another EDR solution.\u003c/li\u003e\n\u003cli\u003eRegularly audit file integrity within the Adobe Acrobat Reader installation directory to identify unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules or other detection mechanisms to determine if a system has been compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:22:00Z","date_published":"2024-01-02T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-adobe-hijack-persistence/","summary":"Attackers can maintain persistence by replacing the legitimate RdrCEF.exe file, used by Adobe Acrobat Reader, with a malicious executable that will be launched upon execution of Adobe Acrobat Reader.","title":"Adobe Acrobat Reader Hijack for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-adobe-hijack-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - File-Replacement","version":"https://jsonfeed.org/version/1.1"}