PDF Exploit Targeting Foxit Reader Users Discovered by Check Point Research

A PDF exploit targeting Foxit Reader users has been discovered by researchers at Check Point Research, posing a significant threat to unsuspecting users. The exploit takes advantage of the flawed design of warning messages in Foxit Reader, deceiving users into executing harmful commands.

Threat actors have already been utilizing this exploit to distribute malicious PDF files through various channels, including social media platforms like Facebook. When a user opens an altered PDF file, a security warning is triggered. If the user proceeds with the default options, the exploit downloads and executes a payload from a remote server.

The exploit has been used in various malicious campaigns, ranging from espionage to e-crime, with impressive attack chains. One threat actor, APT-C-35 / DoNot Team, was able to perform hybrid campaigns targeting both Windows and Android devices, even bypassing Two Factor Authentication (2FA).

Malware families such as VenomRAT, Agent-Tesla, and NanoCore RAT have been distributed using this exploit. Check Point researchers followed links distributed via Facebook, leading to a long attack chain resulting in the deployment of an info stealer and two crypto miners.

Foxit Reader has acknowledged the issue and plans to resolve it in version 2024 3. In the meantime, users are advised to exercise caution when opening PDF files from unknown sources. This exploit serves as a reminder of the importance of cybersecurity awareness and the potential risks associated with clicking “OK” without understanding the consequences.