Hackers exploited Foxit PDF Reader vulnerability
Many malicious actors are exploiting a vulnerability in Foxit PDF Reader to distribute various types of malware, such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
“This exploit triggers security warnings that can deceive unsuspecting users into executing harmful commands,” Check Point stated in a technical report. “It has been leveraged by multiple threat actors, from cybercrime to spyware.”
It is worth noting that Adobe Acrobat Reader, which is widely deployed in sandbox or antivirus solutions, is not vulnerable to this particular exploit. This contributes to the campaign’s low detection rate.
The issue lies in the application displaying “OK” as the default option in a pop-up window when asking users to trust the document before enabling certain features to avoid potential security risks.
Once a user clicks OK, a second pop-up appears warning that the file is about to execute additional commands, with the option “Open” being the default. The enabled command is then used to download and execute a malicious payload hosted on the Discord content delivery network (CDN).
“If there was a chance the target user would read the first message, the second would already be ‘Agreed’ without further analysis,” said security researcher Antonis Terefos.
“This is a case where threat actors exploit this flawed logic and common human behavior, which, as a default option, provides the most harmful outcome.”
Check Point reported identifying a military-themed PDF document, which, when opened via Foxit PDF Reader, executed a command to download a downloader. This downloader subsequently retrieved two executable files for collecting and uploading data such as documents, images, archive files, and databases to a command-and-control (C2) server.
Further analysis of the attack chain revealed that the downloader could also be used to install a third payload. This payload has the capability to take screenshots from the infected host and upload them to the C2 server.
The activity, believed to be espionage-oriented, has been linked to the DoNot team (also known as APT-C-35 and Origami Elephant), citing overlaps with previous tactics and techniques associated with the threat actor.
Another instance using the same technique involves a multi-stage process for deploying a stealer and two cryptocurrency mining modules, such as XMRig and lolMiner. Notably, some of the malicious PDF files are distributed via Facebook.
The Python-based stealing malware is designed to steal credentials and cookies from victims’ Chrome and Edge browsers. The miners are retrieved from a GitLab repository belonging to a user named topworld20241. The repository, created on February 17, 2024, remains active at the time of writing.
In another case recorded by the cybersecurity firm, a PDF file functions as a data retrieval tool from Discord CDN. It uses Blank-Grabber, an open-source information stealer available on GitHub, which has been archived since August 6, 2023.
“Another interesting case was when a malicious PDF contained a link to a file hosted on trello[.]com,” said Antonis Terefos. “Upon downloading, it revealed a secondary PDF with malicious code, exploiting Foxit Reader users’ vulnerability.”
The infection path culminates in the delivery of Remcos RAT but only after progressing through a series of steps involving the use of LNK files, HTML applications (HTA), and Visual Basic scripts as intermediary steps.
The threat actor behind the Remcos RAT campaign, who goes by the name silentkillertv and claims to be an ethical hacker with over 22 years of experience, has been observed advertising various malicious tools via a dedicated Telegram channel called silent_tools, including crypters and Foxit PDF Reader exploit kits. The channel was created on April 21, 2022.
Check Point also noted the presence of .NET and Python-based PDF creation services like Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt used to generate malware-laden PDF files. The DoNot team is said to have used a .NET PDF generator available for free on GitHub.
The use of Discord, GitLab, and Trello highlights the ongoing abuse of legitimate sites by malicious actors. These actors use these sites to blend in with normal web traffic, evade detection, and distribute malware. Foxit has acknowledged the issue and will release a fix in version 2024.3. The current version is 2024.2.1.25153.
“While this exploit does not align with the classic definition of triggering malicious activities, it can more accurately be categorized as a form of phishing or manipulation of Foxit PDF Reader users. It often prompts users to click ‘OK’ without understanding the potential risks,” noted Antonis Terefos.
“The success of the infection and the low detection rate allow the distribution of PDF files in various non-traditional ways, such as via Facebook, without being hindered by detection rules.”
