If you use Foxit to read your PDFs, watch out for this flaw that allows malware to infect your machines

Foxit Software, the publisher of the popular Foxit Reader PDF reader, is caught up in a major design weakness that has been massively exploited in recent years.

Although not a vulnerability per se, Foxit Reader suffers from a design flaw that allows the execution of malicious payloads disguised as seemingly harmless PDF documents. This widely used file format is, unfortunately, often the target of malware campaigns, such as the latest, Byakugan, which hid infostealer in Adobe PDF Reader files.

With over 700 million users worldwide, Foxit, this inexpensive PDF reader, has become a prime target for cybercriminals and state attack groups looking to infiltrate a wide range of Windows systems. In this case, it is rather a “failure” in the software infrastructure that opens the way to malware.

A design that traps the user

The exploitation is based on unusual behavior of Foxit Reader when faced with certain trapped PDF files. Two warning windows appear, offering the options “Accept” or “OK” by default. A default choice contrary to good practice which risks encouraging the user to click mechanically without reading the warning messages.

By accepting these two options, the victim unwittingly triggers the execution of a malicious command that downloads and executes malware on their system. This is a perfect example of the pernicious combination of a software design flaw and the natural human behavior of not always reading warnings carefully.

The researchers of Checkpoint Research have identified multiple large-scale campaigns exploiting this vector in recent years. Dozens of different malware families were thus able to enter, from Windows and Android botnets to information thieves including the now famous Remcos RAT and other Trojan horses.

The APT-C-35/DoNot Team, a state-sponsored attacker group, notably used this technique to carry out a large espionage campaign targeting government and military entities. Exploitation tools have also been marketed on underground networks by groups like @Silentkillertv.

The success of this exploitation technique lies in its low initial detection rate by consumer and enterprise antivirus solutions. Since most engines rely on Adobe Acrobat Reader to scan PDF documents, they did not detect the malicious payloads present in the Foxit Reader variants.

Cyberhackers were thus able to distribute their malicious payloads through unconventional vectors such as social networks, with a limited risk of being stopped when entering corporate networks. Massive spam and phishing campaigns could also be carried out discreetly.

Foxit’s design flaw also opened the way to innovative exploitation techniques, such as automated exploit generators coded in various languages ​​like .NET or Python. The malware ecosystem has grown rapidly, increasing the risks for Foxit Reader users.

How to protect yourself from PDF-distributed malware

If you are a Foxit Reader user, be aware that until Foxit Software patches and releases version 2024.3 which should resolve the issue, you will need to be vigilant.

In the meantime, Clubic gives you some advice to avoid slipping into the loophole. Be extremely careful with PDF files from unreliable or unknown sources. Systematically validate their integrity before opening, if only as a precaution.

Take the time to read the warnings carefully before accepting the actions proposed by default, a counter-intuitive reflex, but essential to avoid pitfalls.

Keep your software up to date by quickly applying the latest security updates to protect against the latest known exploitation techniques.

Deploy antivirus, anti-malware, and anti-exploit solutions that specifically block payloads targeting Foxit Reader. Standard protections are insufficient.

Source : Checkpoint Research