“Flawed” Foxit PDF Reader design leaves users vulnerable to exploit


A PDF exploit is roaming the wild, mainly targeting Foxit Reader users, Check Point Research has discovered. By triggering security warnings, unsuspecting users could be deceived into executing harmful commands.

Many threat actors already have been utilizing the exploit, which takes advantage of the “flawed design of warning messages in Foxit Reader.”

When the user opens an altered PDF file, the exploit triggers a security warning. If a careless user proceeds twice with the default options, which are the most harmful, the exploit downloads and executes a payload from a remote server.

ADVERTISEMENT

“The infection success and the low detection rate allows malicious PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules,” researchers said.

foxit-alert

The uses for the exploit range from espionage campaigns to e-crime with multiple links and tools, achieving impressive attack chains.

In one instance, the threat actor, labeled APT-C-35 / DoNot Team, obtained the capability of performing hybrid campaigns targeting Windows and Android devices, “which also resulted in a Two Factor Authentication (2FA) bypass.”

“This exploit has also been used by various Cyber-crime actors distributing the most prominent malware families such as VenomRAT, Agent-Tesla, Remcos, NjRAT, NanoCore RAT, Pony, Xworm, AsyncRAT, DCRat,” researchers said.

In one malicious campaign, Check Point followed the links distributed via Facebook, which resulted in a long attack chain, finally dropping an info stealer and two crypto miners. Another campaign was performed by the threat actor @silentkillertv, who utilized two chained PDF files, one was hosted on a legitimate website, trello.com

“Check Point obtained multiple builders that actors possess which create malicious PDF files taking advantage of this exploit. The majority of the collected PDFs were executing a PowerShell command which was downloading a payload from a remote server and then executing, though on some occasions other commands were used,” the report reads.

Researchers classify this PDF exploit as a form of phishing or social engineering towards Foxit PDF Reader users rather than classic malicious activity. Malicious actors need to coax users into habitually clicking “OK” without understanding the potential risks involved.

ADVERTISEMENT

Foxit Reader acknowledged the issue and stated to Check Point that it would be resolved in version 2024 3. Meanwhile, users are advised to be aware and exercise caution when opening PDF files from unknown sources.