A number of risk actors are weaponizing a design flaw in Foxit PDF Reader to ship quite a lot of malware resembling Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
“This exploit triggers safety warnings that would deceive unsuspecting customers into executing dangerous instructions,” Examine Level mentioned in a technical report. “This exploit has been utilized by a number of risk actors, from e-crime to espionage.”
It is value noting that Adobe Acrobat Reader – which is extra prevalent in sandboxes or antivirus options – is just not vulnerable to this particular exploit, thus contributing to the marketing campaign’s low detection charge.
The difficulty stems from the truth that the appliance reveals “OK” because the default chosen choice in a pop-up when customers are requested to belief the doc previous to enabling sure options to keep away from potential safety dangers.
As soon as a person clicks OK, they’re displayed a second pop-up warning that the file is about to execute further instructions with the choice “Open” set because the default. The command triggered is then used to obtain and execute a malicious payload hosted on Discord’s content material supply community (CDN).
“If there have been any likelihood the focused person would learn the primary message, the second can be ‘Agreed’ with out studying,” safety researcher Antonis Terefos mentioned.
“That is the case that the Menace Actors are benefiting from this flawed logic and customary human habits, which supplies because the default selection essentially the most ‘dangerous’ one.”
Examine Level mentioned it recognized a PDF doc bearing a navy theme that, when opened by way of Foxit PDF Reader, executed a command to fetch a downloader that, in flip, retrieved two executables to gather and add information, together with paperwork, photographs, archive information, and databases to a command-and-control (C2) server.
Additional evaluation of the assault chain has revealed that the downloader may be used to drop a 3rd payload that is able to capturing screenshots of the contaminated host, after which they’re uploaded to the C2 server.
The exercise, assessed to be geared in the direction of espionage, has been linked to DoNot Group (aka APT-C-35 and Origami Elephant), citing overlaps with beforehand noticed ways and strategies related to the risk actor.
A second occasion weaponizing the identical approach employs a multi-stage sequence to deploy a stealer and two cryptocurrency miner modules resembling XMRig and lolMiner. Apparently, a number of the booby-trapped PDF information are distributed by way of Fb.
The Python-based stealer malware is supplied to steal victims’ credentials and cookies from Chrome and Edge browsers, with the miners retrieved from a Gitlab repository belonging to a person named topworld20241. The repository, created on February 17, 2024, remains to be lively as of writing.
In one other case documented by the cybersecurity firm, the PDF file acts as a conduit to retrieve from Discord CDN Clean-Grabber, an open-source info stealer that is obtainable on GitHub and which has been archived as of August 6, 2023.
“One other attention-grabbing case occurred when a malicious PDF included a hyperlink to an attachment hosted on trello[.]com,” Terefos mentioned. “Upon downloading, it revealed a secondary PDF file containing malicious code, which takes benefit of this
‘exploitation’ of Foxit Reader customers.”
The an infection pathway culminates within the supply of Remcos RAT, however solely after progressing by a sequence of steps that contain using LNK information, HTML Utility (HTA), and Visible Fundamental scripts as intermediate steps.
The risk actor behind the Remcos RAT marketing campaign, who goes by the title silentkillertv and claims to be an moral hacker with over 22 years of expertise, has been noticed promoting a number of malicious instruments by way of a devoted Telegram channel known as silent_tools, together with crypters and PDF exploits focusing on Foxit PDF Reader. The channel was created on April 21, 2022.
Examine Level mentioned it additionally recognized .NET- and Python-based PDF builder companies resembling Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt that had been used to create the malware-laced PDF information. The DoNot Group is alleged to have used a .NET PDF builder freely obtainable on GitHub.
If something, using Discord, Gitlab, and Trello demonstrates the continued abuse of professional web sites by risk actors to mix in with regular community site visitors, evade detection, and distribute malware. Foxit has acknowledged the difficulty and is predicted to roll out a repair in model 2024 3. The present model is 2024.2.1.25153.
“Whereas this ‘exploit’ would not match the classical definition of triggering malicious actions, it may very well be extra precisely categorized as a type of ‘phishing’ or manipulation aimed toward Foxit PDF Reader customers, coaxing them into habitually clicking ‘OK’ with out understanding the potential dangers concerned,” Terefos mentioned.
“The an infection success and the low detection charge enable PDFs to be distributed by way of many untraditional methods, resembling Fb, with out being stopped by any detection guidelines.”
