Skip links

Adobe Creative Cloud Experience makes malware easier to hide

Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that’s useable as part of an attack chain.

Michael Taggart, a security researcher, recently demonstrated that the node.exe instance accompanying Adobe’s service could be abused by writing a simple proof-of-concept JavaScript file that spawns the Windows Calculator app.

“I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to,” he explained to The Register.

“So the attack chain may look like an installer or zip file that drops [a JavaScript file], or even a macro that drops JavaScript in a user-writable directory, then invokes Adobe’s own node.exe for execution.”

Security researchers commenting on Taggart’s finding said they’d been under the impression the bundled Node runtime would only execute files signed by Adobe, but evidently that’s not the case.

The presence of an unrestricted instance of Node.js on a system isn’t as severe as a backdoor or internet-facing flaw that enables remote code execution – an attacker without some other vulnerability to exploit would need to induce the victim to download and run the script. But its availability does make it easier to mount an attack and to conceal that anyone has done so.

“Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective,” explained Taggart, who added that he was able to get his own custom file dropper to run and execute a command-and-control agent without any warning from Windows Defender.

In other words, the primary benefit of abusing node.exe in this way would be to run unsigned code in a way that isn’t obvious to threat detection systems.

Curiously, this is not the first time concerns have been raised about Creative Cloud Experience. An Adobe customer posting to the Adobe Support Community post in February notes, “My protection program on my PC detected the folder Adobe Creative Cloud Experience, e.g. node.exe, as security risk.” The advice given is to simply ignore the warnings.

Then there’s a post from December, 2021, in which an Adobe customer inquires about Malwarebytes security software detecting a suspicious outbound connection from the node.exe instance within Creative Cloud Experience.

The presence of node.exe in other Adobe applications like Photoshop has also elicited concern from those presented with warnings about the executable from their security applications. A discussion spanning the past three years in the forum for Acronis, a security application, suggests warnings raised over the presence of node.exe are false positives and that users should tell their apps to ignore such files.

The Register asked Adobe whether it considers the ability to run unsigned code systems via Creative Cloud Experience’s node.exe to be a problem, but we’ve not heard back. ®