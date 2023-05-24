from the not-acrobat-for-a-change dept.
Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal:
Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
"This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point said in a technical report. "This exploit has been used by multiple threat actors, from e-crime to espionage."
It's worth noting that Adobe Acrobat Reader – which is more prevalent in sandboxes or antivirus solutions – is not susceptible to this specific exploit, thus contributing to the campaign's low detection rate.
The issue stems from the fact that the application shows "OK" as the default selected option in a pop-up when users are asked to trust the document prior to enabling certain features to avoid potential security risks.
Once a user clicks OK, they are displayed a second pop-up warning that the file is about to execute additional commands with the option "Open" set as the default. The command triggered is then used to download and execute a malicious payload hosted on Discord's content delivery network (CDN).
"If there were any chance the targeted user would read the first message, the second would be 'Agreed' without reading," security researcher Antonis Terefos said.
"This is the case that the Threat Actors are taking advantage of this flawed logic and common human behavior, which provides as the default choice the most 'harmful' one."
[...] The threat actor behind the Remcos RAT campaign, who goes by the name silentkillertv and claims to be an ethical hacker with over 22 years of experience, has been observed advertising several malicious tools via a dedicated Telegram channel called silent_tools, including crypters and PDF exploits targeting Foxit PDF Reader. The channel was created on April 21, 2022.
[...] If anything, the use of Discord, Gitlab, and Trello demonstrates the continued abuse of legitimate websites by threat actors to blend in with normal network traffic, evade detection, and distribute malware. Foxit has acknowledged the issue and is expected to roll out a fix in version 2024 3. The current version is 2024.2.1.25153.
"While this 'exploit' doesn't fit the classical definition of triggering malicious activities, it could be more accurately categorized as a form of 'phishing' or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking 'OK' without understanding the potential risks involved," Terefos said.
"The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules."
(Score: 2) by istartedi on Friday May 24, @03:33AM (1 child)
I had a feeling this was possible trademark infringement, and a little googling confirms it's not the same as the PDF viewer included in FireFox [wikipedia.org].
So never mind what might be in this package. If you're willing to download and install something from China that tries to look like it's part of FireFox [wikipedia.org], you're already pre-qualified to get phished.
(Score: 2) by istartedi on Friday May 24, @03:39AM
I should have gone to the company web site [foxit.com] before posting. Turns out they have a different logo now (or perhaps never used that logo?), and Wikipedia needs to be updated to reflect that.
(Score: 3, Insightful) by Rosco P. Coltrane on Friday May 24, @04:16AM
No, the "threat actors" exploit the habit most software users have gotten into of clicking on annoying popups to dismiss them as fast as possible and get on with what they need to do. And you can blame the software vendors' stupid registrations, insane EULAs, nagware and other ads for that.
There was a time, long long ago, when a warning was read because such messages were few and far between and rightfully considered important. But the software industry has abused this UI paradigm so much they've shat the bed, and now people are trained to view popups are annoyances that are in their way.