How attackers deliver malware to Foxit PDF Reader users

Threat actors are taking advantage of the flawed design of Foxit PDF Reader’s alerts to deliver malware via booby-trapped PDF documents, Check Point researchers have warned.

Exploiting the issue

The researchers have analyzed several campaigns using malicious PDF files that are targeting Foxit Reader users.

The attackers are leveraging a variety of .NET and Python exploit builders, the most popular of which is the “PDF Exploit Builder”, to create PDF documents with macros that execute commands/scripts that download and execute malware (Agent Tesla, Remcon RAT, Xworm, NanoCore RAT, and others).

“Regardless of the programming language, all builders exhibit a consistent structure. The PDF template utilized for the exploit includes placeholder text, which is intended to be substituted once the user provides input for the URL from which to download the malicious file,” they explained.

The threat actors are also taking advantage of the fact that some of the pop-up alerts Foxit Reader shows when opening these booby-trapped files make the harmful option the default choice.

The first pop-up, warning about features being disabled to avoid potential security risks, asks the user to either trust this document one time only or always (the former option is the default one, as well as the safer one).

Once the user clicks the OK button, another alert pops up:

The second alert (Source: Check Point Research)

Attackers are relying on users to ignore the text of the alerts and sail through them by quickly accepting the default options, and thus allow Foxit to execute the malicious command.

Foxit promises to resolve the issue

Foxit PDF Reader is used by over 700 million users around the world and has customers in the government and tech sectors.

“Threat actors vary from e-crime to APT groups, with the underground ecosystem taking advantage of this ‘exploit’ for years, as it had been ‘rolling undetected’ as most AV & sandboxes utilize the major player in PDF Readers, Adobe,” the researchers added.

“The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules.”

Check Point has flagged the exploited “issue” to Foxit, and the company has stated it would resolve it in version 2024 3.

“The right way would be to detect and disable those types of CMD executions. Though from the message we received from Foxit, it’s possible they will just ‘switch’ the default options to ‘Do Not Open’,” Antonis Terefos, a reverse engineer at Check Point Research, told Help Net Security.

We’ve reached out to Foxit for comment, but we’ve yet to hear back from them.