Multiple threat actors have been exploiting a design flaw in Foxit PDF Reader to distribute a range of malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
According to a technical report by Check Point, the flaw involves Foxit PDF Reader's handling of pop-up messages, which prompts users to trust a document before enabling potentially risky features. Initially, users are presented with an “OK” button as the default option in a security warning. If they click “OK,” a second warning appears, with “Open” as the default choice, which then executes additional commands to download and run a malicious payload hosted on Discord's content delivery network (CDN).
It is necessary to mention, Adobe Acrobat Reader, which is more commonly used in sandbox environments and with antivirus solutions, is not vulnerable to this specific exploit. This contributes to the campaign's low detection rate, making it a preferred method for cybercriminals targeting Foxit PDF Reader users.
In one instance, threat actors distributed a military-themed PDF document, which, when opened with Foxit PDF Reader, executed a command to download a malware downloader. This downloader then retrieved two executables designed to collect and upload sensitive data, including documents, images, archive files, and databases, to a command-and-control (C2) server. Further analysis revealed that the downloader could also drop a third payload capable of capturing screenshots of the infected device and uploading them to the C2 server.
This activity has been linked to the espionage-focused DoNot Team, also known as APT-C-35 and Origami Elephant, due to similarities in tactics and techniques previously associated with this group.
Another observed exploitation method employs a multi-stage attack to deploy a stealer and two cryptocurrency mining modules, such as XMRig and lolMiner. Some of these malicious PDF files have been distributed via Facebook, while others are directly downloaded from DiscordApp. One such infection chain involved a PDF that executed PowerShell to download a malicious Python file from DiscordApp. The Python malware, downloaded as lol.pyw, features a range of capabilities, including a Graphical Builder, UAC Bypass, Anti VM, and data-stealing functions from various browsers and applications.
“Threat Actors vary from E-crime to APT groups, with the underground ecosystem taking advantage of this “exploit” for years, as it had been “rolling undetected” as most AV & Sandboxes utilize the major player in PDF Readers, Adobe. The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules,” Check Point noted in the report.