PDF files have become an integral part of modern digital communication. PDFs have evolved into a standard format for presenting text, images, and multimedia content with consistent layout and formatting, irrespective of the software, hardware, or operating system used to view them.
In the realm of PDF viewers, Adobe Acrobat Reader reigns supreme as the industry’s dominant player. However, while Adobe Acrobat Reader holds the biggest market share, notable contenders are vying for attention, with Foxit PDF Reader being a prominent alternative, with more than 700 million users located in more than 200 countries.
Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point Research has observed variants of this exploit being actively utilized in the wild.
Flaws within the Design
The exploitation takes advantage of the flawed design of Warning messages in Foxit Reader which provide as default options that are the most harmful. Once a careless user proceeds twice with the default option, the exploit triggers, downloading and executing a payload from a remote server.
This exploit has been used by multiple threat actors, in use on e-crime and espionage. Check Point Research isolated and investigated three in-depth cases, ranging from an espionage campaign to e-crime with multiple links and tools, achieving impressive attack chains.
One of the most prominent campaigns leveraging this exploit has been possibly performed by theespionage group known as APT-C-35 / DoNot Team. Based on the specific malware deployed, the commands sent to the Bots, and the obtained victim data, the Threat Actor has the capability of performing hybrid campaigns targeting Windows and Android devices, which also resulted in a Two Factor Authentication (2FA) bypass.
This exploit has also been used by various Cyber-crime actors distributing the most prominent malware families such as:
During another campaign, Check Point Research identified the Threat Actor as @silentkillertv performing a campaign utilizing two chained PDF files while one was hosted on a legitimate website, trello.com. The Threat Actor is also selling malicious tools and, on the 27th of April, advertised this exploit.
While researching, Check Point obtained multiple builders that actors possess which create malicious PDF files taking advantage of this exploit. The majority of the collected PDFs were executing a PowerShell command which was downloading a payload from a remote server and then executing, though on some occasions other commands were used.
While this “exploit” doesn’t fit the classical definition of triggering malicious activities, it could be more accurately categorized as a form of “phishing” or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking “OK” without understanding the potential risks involved. Threat Actors vary from E-crime to APT groups, with the underground ecosystem taking advantage of this “exploit” for years, as it had been “rolling undetected” as most AV & Sandboxes utilize the major player in PDF Readers, Adobe. The infection success and the low detection rate allows malicious PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules. Check Point Research reported the issue to Foxit Reader, which acknowledged it and stated that it would be resolved in version 2024 3.
With the increasing sophistication of social engineering tactics, it is imperative for users to be aware and vigilant and to stay informed, exercise caution, and implement robust security measures, such as multi-factor authentication and security awareness training, to mitigate the risk of falling victim to such attacks.
Check Point Threat Emulation, Harmony Endpoint and Harmony Mobile Protect provide comprehensive coverage of attack tactics, file-types, and operating systems and protect its customers against the type of attacks and the “exploit” described in this report.
