Multiple threat actors are exploiting a design flaw in Foxit PDF Reader to deliver various malware strains such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
“This design flaw triggers security warnings that could mislead unsuspecting users into executing harmful commands,” Check Point stated in a technical report. “These exploits have been utilized by multiple threat actors, ranging from cybercriminals to espionage groups.”
It is important to note that Adobe Acrobat Reader, which is more commonly found in sandboxes or antivirus solutions, is not vulnerable to this specific exploit, which contributes to the campaign’s low detection rate.
The root of the problem lies in the fact that the application defaults to displaying “OK” as the selected option in a pop-up when users are asked to trust the document before enabling certain features to mitigate potential security risks.
Once a user clicks OK, a second pop-up warning is displayed indicating that the file is about to execute additional commands with the “Open” option set as the default. This command is then used to download and execute a malicious payload hosted on Discord’s content delivery network (CDN).
“If there was any chance that the targeted user would read the first message, the second message would be ‘Agreed’ without further consideration,” explained security researcher Antonis Terefos.
“Threat actors are exploiting this flawed logic and common human behavior, leveraging the default choice that is potentially the most ‘harmful’ one.”
Check Point discovered a military-themed PDF document that, when opened using Foxit PDF Reader, executed a command to fetch a downloader that then retrieved two executables to gather and upload data, including documents, images, archive files, and databases, to a command-and-control (C2) server.
Further analysis revealed that the downloader could also drop a third payload capable of capturing screenshots of the infected host, which were then uploaded to the C2 server. This activity, believed to be espionage-related, has been attributed to DoNot Team (also known as APT-C-35 and Origami Elephant).
Another instance involving the same technique uses a multi-stage process to deploy a stealer and two cryptocurrency miner modules like XMRig and lolMiner. Interestingly, some of the malicious PDF files are distributed via Facebook.
The Python-based stealer malware is designed to steal credentials and cookies from Chrome and Edge browsers, with the miners sourced from a Gitlab repository owned by a user named topworld20241. The repository, created on February 17, 2024, is still active.
In another case, a PDF file acts as a conduit to download Blank-Grabber from Discord CDN, an open-source information stealer available on GitHub. This particular version has been archived as of August 6, 2023.
“In another intriguing scenario, a malicious PDF contained a hyperlink to an attachment hosted on trello[.]com. Upon download, it revealed a secondary PDF file containing malicious code that exploits the Foxit Reader vulnerability,” Terefos added.
The infection chain ultimately leads to the deployment of Remcos RAT, following a series of steps involving LNK files, HTML Application (HTA), and Visual Basic scripts as intermediary steps.
The threat actor behind the Remcos RAT campaign, known as silentkillertv, and claiming to be an ethical hacker with over 22 years of experience, has been observed promoting various malicious tools via a dedicated Telegram channel called silent_tools.
Check Point also identified .NET- and Python-based PDF builder services like Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt that were used to create malware-infested PDF files. The DoNot Team reportedly utilized a .NET PDF builder that is freely available on GitHub.
The use of Discord, Gitlab, and Trello highlights the ongoing trend of threat actors abusing legitimate platforms to blend in with normal traffic, evade detection, and distribute malware. Foxit has acknowledged the issue and is expected to release a fix in version 2024 3. The current version is 2024.2.1.25153.
“While this ‘exploit’ may not fit the traditional definition of malicious activities, it can be seen as a form of ‘phishing’ or manipulation targeted at Foxit PDF Reader users, enticing them to habitually click ‘OK’ without fully understanding the risks involved,” Terefos noted.
“The high success rate of infection and low detection rate allow PDFs to be distributed through unconventional channels, such as Facebook, without triggering detection mechanisms.”
