Network Security, Malware

Various malware strains deployed via Foxit PDF Reader exploit

Abstract Red Background with Binary Code Numbers. Data Breach, Malware, Cyber Attack, Hacking

Attacks exploiting a design vulnerability in the Foxit PDF reader were launched by various threat actors to facilitate the delivery of several malicious payloads, including Agent Tesla, Remcos RAT, AsyncRAT, and XWorm, among others, reports The Hacker News.

Intrusions linked to suspected Indian state-sponsored threat operation DoNot Team, also known as Origami Elephant and APT-C-35, involved the distribution of a military-themed PDF document that facilitates the retrieval of a pair of executables and a downloader for another payload when opened using Foxit, a report from Check Point revealed. Such a technique has been used to deliver the XMRig and lolMiner cryptocurrency miner modules, as well as a Python-based stealer to enable browser credential and cookie exfiltration.

On the other hand, a malicious PDF document with a link redirecting to a trello[.]com-hosted attachment were leveraged by self-proclaimed ethical hacker silentkillertv to allow the deployment of Remcos RAT.

"The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules," said Check Point researcher Antonis Terefos.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.