Threat actors are exploiting a vulnerability in Foxit PDF Reader’s alert system to deliver malware through booby-trapped PDF documents, according to researchers at Check Point.
The researchers have identified several campaigns targeting Foxit Reader users with malicious PDF files. Attackers are utilizing various .NET and Python exploit builders, notably the “PDF Exploit Builder,” to create PDF documents containing macros that execute commands or scripts. These commands download and run malware such as Agent Tesla, Remcos RAT, Xworm, and NanoCore RAT.
“Regardless of the programming language, all builders exhibit a consistent structure. The PDF template used for the exploit includes placeholder text, which is meant to be replaced with the URL for downloading the malicious file once the user provides input,” explained the researchers.
Additionally, threat actors are exploiting the fact that some of the pop-up alerts in Foxit Reader make the harmful option the default choice when opening these compromised files.
The first pop-up alert warns users that certain features are disabled to avoid potential security risks, giving them the option to trust the document one time only or always. The default and safer option is the former. However, once the user clicks OK,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: