Hackers once again take advantage of victims inattention to break into systems.
The Check Point Research team has discovered an exploit targeting Foxit Reader users that exploits users ' inattention to execute malicious code.
Many attackers are already actively using this exploit, which is based on flaws in the Foxit Reader warning system. When a user opens an infected PDF file, a security alert is triggered. If an inattentive user agrees to the default settings twice, the exploit downloads and executes malicious code from a remote server.
Infection occurs in the following scenario:
Attackers take advantage of this behavior of the target, providing the most" malicious " choice by default.
Pop-ups in Foxit Reader
The researchers note that successful infections and low detection rates allow malicious PDF files to be distributed in non-standard ways, in particular, through Facebook*, while avoiding detection. The use of the exploit ranges from espionage campaigns to cybercrimes involving complex chains of attacks.
In one case, the APT-C-35 group (DoNot Team) was able to conduct hybrid campaigns targeting both Windows and Android devices, which resulted in bypassing two-factor authentication (2FA). The exploit was also used by various cybercriminals to distribute the most well-known malware families, such as VenomRAT, Agent Tesla, Remcos, and others.
In one of the malicious campaigns, Check Point specialists tracked links distributed through Facebook, which eventually led to a long chain of attacks, including the installation of an infostiler and two cryptominers. In another campaign, an attacker named @silentkillertv used two linked PDF files, one of which was hosted on a legitimate site trello.com.
Researchers were able to obtain several utilities that hackers used to create malicious PDF files. Most PDFs used a PowerShell command to download malicious code from a remote server, although in some cases other commands were also used.
Attack Chain
The exploit is classified by researchers as a form of phishing or social engineering aimed at Foxit Reader users, rather than as a classic malicious activity. Cybercriminals force users to habitually click "OK" without realizing the possible risks.
Foxit Reader recognized the issue and informed Check Point that it will be resolved in version 2024.3. In the meantime, users are strongly advised to be careful and careful when opening PDF files from unknown sources.
The Check Point Research team has discovered an exploit targeting Foxit Reader users that exploits users ' inattention to execute malicious code.
Many attackers are already actively using this exploit, which is based on flaws in the Foxit Reader warning system. When a user opens an infected PDF file, a security alert is triggered. If an inattentive user agrees to the default settings twice, the exploit downloads and executes malicious code from a remote server.
Infection occurs in the following scenario:
- when you open the file, the first pop-up window appears with the default "Trust once" option;
- after clicking "OK" in the first window, a second window pops up with a message warning about the danger of infection;
- the victim allows you to open the file without reading the message.
Attackers take advantage of this behavior of the target, providing the most" malicious " choice by default.
Pop-ups in Foxit Reader
The researchers note that successful infections and low detection rates allow malicious PDF files to be distributed in non-standard ways, in particular, through Facebook*, while avoiding detection. The use of the exploit ranges from espionage campaigns to cybercrimes involving complex chains of attacks.
In one case, the APT-C-35 group (DoNot Team) was able to conduct hybrid campaigns targeting both Windows and Android devices, which resulted in bypassing two-factor authentication (2FA). The exploit was also used by various cybercriminals to distribute the most well-known malware families, such as VenomRAT, Agent Tesla, Remcos, and others.
In one of the malicious campaigns, Check Point specialists tracked links distributed through Facebook, which eventually led to a long chain of attacks, including the installation of an infostiler and two cryptominers. In another campaign, an attacker named @silentkillertv used two linked PDF files, one of which was hosted on a legitimate site trello.com.
Researchers were able to obtain several utilities that hackers used to create malicious PDF files. Most PDFs used a PowerShell command to download malicious code from a remote server, although in some cases other commands were also used.
Attack Chain
The exploit is classified by researchers as a form of phishing or social engineering aimed at Foxit Reader users, rather than as a classic malicious activity. Cybercriminals force users to habitually click "OK" without realizing the possible risks.
Foxit Reader recognized the issue and informed Check Point that it will be resolved in version 2024.3. In the meantime, users are strongly advised to be careful and careful when opening PDF files from unknown sources.
