A number of menace actors are weaponizing a design flaw in Foxit PDF Reader to ship a wide range of malware comparable to Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
“This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands,” Test Level mentioned in a technical report. “This exploit has been used by multiple threat actors, from e-crime to espionage.”
It is price noting that Adobe Acrobat Reader – which is extra prevalent in sandboxes or antivirus options – is just not vulnerable to this particular exploit, thus contributing to the marketing campaign’s low detection charge.
The problem stems from the truth that the applying exhibits “OK” because the default chosen possibility in a pop-up when customers are requested to belief the doc previous to enabling sure options to keep away from potential safety dangers.
As soon as a consumer clicks OK, they’re displayed a second pop-up warning that the file is about to execute extra instructions with the choice “Open” set because the default. The command triggered is then used to obtain and execute a malicious payload hosted on Discord’s content material supply community (CDN).
“If there were any chance the targeted user would read the first message, the second would be ‘Agreed’ without reading,” safety researcher Antonis Terefos mentioned.
“This is the case that the Threat Actors are taking advantage of this flawed logic and common human behavior, which provides as the default choice the most ‘harmful’ one.”
Test Level mentioned it recognized a PDF doc bearing a navy theme that, when opened by way of Foxit PDF Reader, executed a command to fetch a downloader that, in flip, retrieved two executables to gather and add knowledge, together with paperwork, pictures, archive information, and databases to a command-and-control (C2) server.
Additional evaluation of the assault chain has revealed that the downloader may be used to drop a 3rd payload that is able to capturing screenshots of the contaminated host, after which they’re uploaded to the C2 server.
The exercise, assessed to be geared in direction of espionage, has been linked to DoNot Group (aka APT-C-35 and Origami Elephant), citing overlaps with beforehand noticed techniques and methods related to the menace actor.
A second occasion weaponizing the identical approach employs a multi-stage sequence to deploy a stealer and two cryptocurrency miner modules comparable to XMRig and lolMiner. Apparently, a few of the booby-trapped PDF information are distributed by way of Fb.
The Python-based stealer malware is supplied to steal victims’ credentials and cookies from Chrome and Edge browsers, with the miners retrieved from a Gitlab repository belonging to a consumer named topworld20241. The repository, created on February 17, 2024, continues to be energetic as of writing.
In one other case documented by the cybersecurity firm, the PDF file acts as a conduit to retrieve from Discord CDN Clean-Grabber, an open-source info stealer that is out there on GitHub and which has been archived as of August 6, 2023.
“Another interesting case occurred when a malicious PDF included a hyperlink to an attachment hosted on trello[.]com,” Terefos mentioned. “Upon downloading, it revealed a secondary PDF file containing malicious code, which takes benefit of this
‘exploitation’ of Foxit Reader customers.”
The an infection pathway culminates within the supply of Remcos RAT, however solely after progressing by a collection of steps that contain the usage of LNK information, HTML Software (HTA), and Visible Primary scripts as intermediate steps.
The menace actor behind the Remcos RAT marketing campaign, who goes by the identify silentkillertv and claims to be an moral hacker with over 22 years of expertise, has been noticed promoting a number of malicious instruments by way of a devoted Telegram channel referred to as silent_tools, together with crypters and PDF exploits concentrating on Foxit PDF Reader. The channel was created on April 21, 2022.
Test Level mentioned it additionally recognized .NET- and Python-based PDF builder providers comparable to Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt that have been used to create the malware-laced PDF information. The DoNot Group is claimed to have used a .NET PDF builder freely out there on GitHub.
If something, the usage of Discord, Gitlab, and Trello demonstrates the continued abuse of respectable web sites by menace actors to mix in with regular community site visitors, evade detection, and distribute malware. Foxit has acknowledged the difficulty and is anticipated to roll out a repair in model 2024 3. The present model is 2024.2.1.25153.
“While this ‘exploit’ doesn’t fit the classical definition of triggering malicious activities, it could be more accurately categorized as a form of ‘phishing’ or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking ‘OK’ without understanding the potential risks involved,” Terefos mentioned.
“The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules.”
