Cybersecurity researchers have raised an alarm about a growing trend in PDF exploitation, specifically targeting users of Foxit Reader. While Adobe Acrobat Reader remains the dominant player in the market, Foxit Reader has gained significant popularity with over 700 million users globally, including key customers in government and technology sectors.

Check Point Research (CPR) has identified a clear pattern of PDF exploitation aimed at Foxit Reader users, with different variants being actively used in real-world scenarios. An advisory released on Tuesday highlighted the exploit’s low detection rate, which is due to the prevalence of Adobe Reader in most security solutions, leaving Foxit vulnerable. Exploit builders, using various coding languages such as .NET and Python, have been utilized to deploy the malware effectively.

Interestingly, campaigns utilizing this exploit have been observed sharing malicious PDF files through unconventional channels like Facebook. The research exposed a flaw in Foxit Reader’s design, where default options could unknowingly trigger the execution of malicious commands. Exploitation occurs when users unknowingly agree to these default options without fully understanding the risks involved, indicating a combination of flawed software design and common human behavior.

According to CPR, the victim scenario unfolds when opening the file and encountering the first pop-up, with the default option “Trust once” being the correct choice. However, clicking “OK” leads to a second pop-up, which is often agreed to without being read. Threat actors exploit this flawed logic and common human behavior, where the default choice is the most “harmful” one.

Further investigation revealed multiple instances of campaigns leveraging this exploit, targeting military personnel for espionage-focused attacks and broader e-crime operations. These campaigns demonstrated sophisticated attack chains involving various malicious tools and malware families like VenomRAT, Agent-Tesla, and Remcos.

In response to these findings, CPR has informed Foxit Reader, which has acknowledged the issue and pledged to address it in the upcoming 2024 version 3 release. This research underscores the importance of remaining vigilant against evolving threats, promptly updating software, and cultivating cybersecurity awareness among employees.

The prevalence of PDF exploitation campaigns serves as a reminder of the ever-changing cybersecurity landscape, where attackers continuously search for vulnerabilities to exploit. By staying informed, implementing necessary precautions, and fostering a culture of cybersecurity awareness, organizations can better protect themselves against potential threats. It is essential to remain proactive in addressing security risks to safeguard sensitive data and mitigate potential damages from cyberattacks.

Source link