Beware of Malicious PDFs: New Foxit Reader Exploit Discovered

The Check Point Research team has discovered an exploit targeting Foxit Reader users, which leverages user inattention to execute malicious code.

Numerous cybercriminals are actively exploiting this vulnerability, which exploits weaknesses in Foxit Reader’s warning system. When a user opens an infected PDF file, a security warning is triggered. If the user inattentively agrees to the default settings twice, the exploit downloads and executes malicious code from a remote server.

The infection follows this scenario:

  • Upon opening the file, the first pop-up window appears with the default option “Trust once.”
  • After clicking “OK” in the first window, a second window appears with a message warning of potential danger.
  • The victim permits the file to open without reading the message.

Attackers exploit this behavior by providing the most “malicious” default choices.

Researchers note that successful infections and low detection rates allow the distribution of malicious PDF files through unconventional methods, notably via Facebook, thereby avoiding detection. The exploit’s usage ranges from espionage campaigns to cybercrime, including complex attack chains.

In one instance, the APT-C-35 group (DoNot Team) conducted hybrid campaigns targeting both Windows and Android devices, circumventing two-factor authentication (2FA). The exploit was also used by various cybercriminals to spread well-known malware families such as VenomRAT, Agent Tesla, Remcos, and others.

In one malicious campaign, Check Point experts tracked links distributed through Facebook, which ultimately led to a long attack chain, including the installation of an infostealer and two cryptominers. In another campaign, a cybercriminal with the alias @silentkillertv used two related PDF files, one of which was hosted on the legitimate site trello.com.

Researchers obtained several tools used by hackers to create malicious PDF files. Most of the PDFs executed a PowerShell command to download malicious code from a remote server, though other commands were used in some instances.

The exploit is classified by researchers as a form of phishing or social engineering targeting Foxit Reader users, rather than classic malware activity. Cybercriminals trick users into habitually clicking “OK,” unaware of the potential risks.

Foxit Reader acknowledged the issue and informed Check Point that it would be resolved in version 2024 3. Meanwhile, users are strongly advised to be vigilant and cautious when opening PDF files from unknown sources.