Cybersecurity researchers have unveiled a concerning trend in PDF exploitation, particularly targeting users of Foxit Reader.
Despite Adobe Acrobat Reader’s dominance in the market, Foxit Reader has emerged as a significant player, boasting over 700 million users worldwide, including major customers in both government and technology sectors.
Check Point Research (CPR) has detected a distinct pattern of PDF exploitation aimed at Foxit Reader users, with variants actively utilized in real-world scenarios.
According to an advisory published on Tuesday, the exploit’s low detection rate is attributed to the widespread use of Adobe Reader in most security solutions, leaving Foxit vulnerable. Exploit builders, coded in various languages like .NET and Python, have been employed to deploy the malware.
Notably, campaigns utilizing this exploit have been observed sharing malicious PDF files through unconventional channels such as Facebook.
The research uncovered a flaw in Foxit Reader’s design, where users are presented with default options that could inadvertently lead to the execution of malicious commands. Exploitation occurs when users agree to these default options without fully comprehending the associated risks, highlighting the intersection of flawed software design and common human behavior.
“The victim scenario is shown below: when opening the file, we come across the first pop-up, the default option ‘Trust once,’ which is the correct approach,” CPR wrote. “Once clicking ‘OK’, the target comes across a second pop-up. If there were any chance the targeted user would read the first message, the second would be ‘Agreed’ without reading. This is the case that the Threat Actors are taking advantage of this flawed logic and common human behavior, which provides as the default choice the most ‘harmful’ one.”
Further analysis revealed multiple instances of campaigns leveraging this exploit, ranging from espionage-focused attacks targeting military personnel to broader e-crime operations. These campaigns demonstrated sophisticated attack chains and utilized a variety of malicious tools and malware families, including VenomRAT, Agent-Tesla and Remcos, among others.
In response to these findings, CPR has notified Foxit Reader, which has acknowledged the issue and committed to resolving it in the forthcoming 2024 3 version.
This research underscores the importance of maintaining vigilance against evolving threats, implementing timely software updates and fostering cybersecurity awareness among employees.