More than one risk actors are weaponizing a design flaw in Foxit PDF Reader to ship a lot of malware akin to Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
“This exploit triggers safety warnings that would misinform unsuspecting customers into executing destructive instructions,” Test Level stated in a technical document. “This exploit has been utilized by a couple of risk actors, from e-crime to espionage.”
It is value noting that Adobe Acrobat Reader – which is extra prevalent in sandboxes or antivirus answers – isn’t prone to this explicit exploit, thus contributing to the marketing campaign’s low detection fee.
The problem stems from the truth that the applying displays “OK” because the default decided on choice in a pop-up when customers are requested to accept as true with the file previous to enabling positive options to keep away from possible safety dangers.
As soon as a person clicks OK, they’re displayed a 2nd pop-up caution that the document is set to execute further instructions with the choice “Open” set because the default. The command induced is then used to obtain and execute a malicious payload hosted on Discord’s content material supply community (CDN).
“If there have been any probability the centered person would learn the primary message, the second one can be ‘Agreed’ with out studying,” safety researcher Antonis Terefos stated.
“That is the case that the Risk Actors are profiting from this mistaken good judgment and not unusual human conduct, which supplies because the default selection probably the most ‘destructive’ one.”
Test Level stated it recognized a PDF file bearing an army theme that, when opened by way of Foxit PDF Reader, finished a command to fetch a downloader that, in flip, retrieved two executables to gather and add information, together with paperwork, photographs, archive recordsdata, and databases to a command-and-control (C2) server.
Additional research of the assault chain has published that the downloader is also used to drop a 3rd payload that is in a position to shooting screenshots of the inflamed host, and then they’re uploaded to the C2 server.
The job, assessed to be geared in opposition to espionage, has been related to DoNot Staff (aka APT-C-35 and Origami Elephant), mentioning overlaps with up to now seen ways and methods related to the risk actor.
A 2nd example weaponizing the similar method employs a multi-stage collection to deploy a stealer and two cryptocurrency miner modules akin to XMRig and lolMiner. Apparently, probably the most booby-trapped PDF recordsdata are dispensed by way of Fb.
The Python-based stealer malware is provided to thieve sufferers’ credentials and cookies from Chrome and Edge browsers, with the miners retrieved from a Gitlab repository belonging to a person named topworld20241. The repository, created on February 17, 2024, continues to be lively as of writing.
In any other case documented by means of the cybersecurity corporate, the PDF document acts as a conduit to retrieve from Discord CDN Clean-Grabber, an open-source knowledge stealer that is to be had on GitHub and which has been archived as of August 6, 2023.
“Every other fascinating case came about when a malicious PDF incorporated a link to an attachment hosted on trello[.]com,” Terefos stated. “Upon downloading, it published a secondary PDF document containing malicious code, which takes benefit of this
‘exploitation’ of Foxit Reader customers.”
The an infection pathway culminates within the supply of Remcos RAT, however best after progressing thru a sequence of steps that contain using LNK recordsdata, HTML Utility (HTA), and Visible Elementary scripts as intermediate steps.
The risk actor in the back of the Remcos RAT marketing campaign, who is going by means of the identify silentkillertv and claims to be a moral hacker with over 22 years of revel in, has been seen promoting a number of malicious gear by way of a devoted Telegram channel referred to as silent_tools, together with crypters and PDF exploits focused on Foxit PDF Reader. The channel was once created on April 21, 2022.
Test Level stated it additionally recognized .NET- and Python-based PDF builder products and services akin to Avict Softwares I Exploit PDF, PDF Exploit Builder 2023, and FuckCrypt that have been used to create the malware-laced PDF recordsdata. The DoNot Staff is claimed to have used a .NET PDF builder freely to be had on GitHub.
If the rest, using Discord, Gitlab, and Trello demonstrates the continuing abuse of reputable web pages by means of risk actors to mix in with commonplace community site visitors, evade detection, and distribute malware. Foxit has stated the problem and is predicted to roll out a repair in model 2024 3. The present model is 2024.2.1.25153.
“Whilst this ‘exploit’ does not are compatible the classical definition of triggering malicious actions, it might be extra appropriately categorised as a type of ‘phishing’ or manipulation aimed toward Foxit PDF Reader customers, coaxing them into habitually clicking ‘OK’ with out figuring out the prospective dangers concerned,” Terefos stated.
“The an infection good fortune and the low detection fee permit PDFs to be dispensed by way of many untraditional tactics, akin to Fb, with out being stopped by means of any detection laws.”