May 20, 2024 at 09:00AM
Multiple threat actors are leveraging a design flaw in Foxit PDF Reader to deliver various malware, exploiting a security warning deception to execute harmful commands. Adobe Acrobat Reader is not susceptible to the exploit, contributing to its low detection rate. The malware-laced PDFs are being distributed via unconventional methods like Facebook, Discord, Gitlab, and Trello. Foxit is expected to release a fix in version 2024.3.
Certainly! Here are the key takeaways from the meeting notes:
1. Multiple threat actors are exploiting a design flaw in Foxit PDF Reader to deliver various malware including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm.
2. Check Point stated that this exploit has been used by various threat actors for activities ranging from e-crime to espionage.
3. The exploit is triggered when the user is asked to trust the document and the default selected option “OK” leads to the execution of additional commands.
4. The malicious payload is hosted on Discord’s content delivery network (CDN).
5. The campaign’s low detection rate is attributed to the fact that Adobe Acrobat Reader is not susceptible to this exploit.
6. The threat actors are taking advantage of flawed logic and common human behavior to increase the infection success rate.
7. The campaign has been linked to DoNot Team, with activities assessed to be geared towards espionage.
8. The attackers are using various techniques, including dropping payloads that capture screenshots of the infected host and distributing booby-trapped PDF files via Facebook.
9. The threat actor behind the Remcos RAT campaign, silentkillertv, has been observed advertising malicious tools on a dedicated Telegram channel.
10. The use of legitimate websites such as Discord, Gitlab, and Trello demonstrates the continued abuse by threat actors to blend in with normal network traffic, evade detection, and distribute malware.
11. Foxit is expected to roll out a fix for the issue in version 2024.3.
12. The exploit is categorized as a form of phishing or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking ‘OK’ without understanding the potential risks involved.
Let me know if you need any further information!