Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

upstart writes:

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal:

Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.

"This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point said in a technical report. "This exploit has been used by multiple threat actors, from e-crime to espionage."

It's worth noting that Adobe Acrobat Reader - which is more prevalent in sandboxes or antivirus solutions - is not susceptible to this specific exploit, thus contributing to the campaign's low detection rate.

The issue stems from the fact that the application shows "OK" as the default selected option in a pop-up when users are asked to trust the document prior to enabling certain features to avoid potential security risks.

Once a user clicks OK, they are displayed a second pop-up warning that the file is about to execute additional commands with the option "Open" set as the default. The command triggered is then used to download and execute a malicious payload hosted on Discord's content delivery network (CDN).

"If there were any chance the targeted user would read the first message, the second would be 'Agreed' without reading," security researcher Antonis Terefos said.

"This is the case that the Threat Actors are taking advantage of this flawed logic and common human behavior, which provides as the default choice the most 'harmful' one."

Read more of this story at SoylentNews.