A design flaw in Foxit PDF Reader is being exploited by multiple threat actors to deliver a wide range of malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
This exploit triggers security warnings that can mislead users into executing harmful commands. It has been used by various threat actors, from cybercriminals to espionage agents.
Interestingly, Adobe Acrobat Reader is not vulnerable to this specific exploit, which contributes to the campaign’s low detection rate as it bypasses many sandboxes and antivirus solutions.
The flaw arises because the application displays “OK” as the default option in a pop-up when asking users to trust the document before enabling certain features. Clicking “OK” prompts a second pop-up warning about executing additional commands, with “Open” as the default option. This triggers a command to download and execute a malicious payload hosted on Discord’s content delivery network (CDN).
“If users read the first message, they are likely to agree to the second without reading,” security researcher explained. “Threat actors exploit this flawed logic and common human behavior, making the default choice the most harmful.”
The researcher identified a military-themed PDF document that, when opened in Foxit PDF Reader, executed a command to fetch a downloader. This downloader retrieved two executables that collected and uploaded data, including documents, images, archive files, and databases, to a command-and-control (C2) server.
Further analysis showed that the downloader could also deploy a third payload to capture screenshots of the infected host, which were then uploaded to the C2 server. This activity, aimed at espionage, has been linked to DoNot Team (aka APT-C-35 and Origami Elephant) due to overlaps with their known tactics and techniques.
Another instance of the same technique used a multi-stage sequence to deploy a stealer and two cryptocurrency miner modules, XMRig and lolMiner. Some of the malicious PDF files were distributed via Facebook.
The Python-based stealer malware is designed to steal credentials and cookies from Chrome and Edge browsers. The miners were retrieved from a GitLab repository belonging to a user named topworld20241. The repository, created on February 17, 2024, was still active at the time of writing.
In another documented case, the PDF file retrieved Blank-Grabber, an open-source information stealer available on GitHub. Although it was archived on August 6, 2023, it was still used in attacks.
“One case involved a malicious PDF with a hyperlink to an attachment on Trello,” researcher said. “Downloading it revealed a secondary PDF containing malicious code, exploiting Foxit Reader users.”
This infection pathway led to the delivery of Remcos RAT after a series of steps involving LNK files, HTML Application (HTA), and Visual Basic scripts. The threat actor behind this campaign, silentkillertv, claims to be an ethical hacker with over 22 years of experience and advertises malicious tools, including crypters and PDF exploits, on a Telegram channel called silent_tools.
The use of platforms like Discord, GitLab, and Trello demonstrates how threat actors continue to abuse legitimate websites to blend in with normal network traffic, evade detection, and distribute malware. Foxit has acknowledged the issue and plans to release a fix in version 2024.3. The current version is 2024.2.1.25153.
To protect against malware exploits targeting Foxit PDF Reader, users should immediately update to the latest version as soon as the fix is available. Additionally, disabling the automatic execution of embedded commands in PDF files and enabling security features that prompt users to verify actions can reduce risk. Organizations should also consider using PDF readers with robust security features.