PDF “Flawed Design” Exploitation
May 14, 2024, 6:03 p.m.
Tags
External References
Description
Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as the default option, potentially leading users to ignore warnings and execute malicious code. This exploit has been actively utilized by various threat actors, from e-crime to espionage groups, taking advantage of its low detection rate. The campaigns leverage techniques like distributing malicious PDFs via links, employing legitimate hosting platforms, and achieving impressive attack chains.
Date
Published: May 14, 2024, 3:30 p.m.
Created: May 14, 2024, 3:30 p.m.
Modified: May 14, 2024, 6:03 p.m.
Indicators
fc330bb132a345af05feb0d275eeef29c7a439a04223757f33360393cf975ca9
f002712b557a93da23bbf4207e5bc57cc5e4e6e841653ffab59deb97b19f214e
ecb4f5f0ee0cda289056f2f994c061d53cfbc8ac413f2ca4da8864c68f0a23f6
ee42cf45fff12bcc9e9262955470bfed810f3530e651fddb054456264635d9d2
eb87ec49879dc44b6794bb70bd6c706e74694e4c2bbc1926dd4cff42e5b63cc6
e32d2966a22243f346e06d4da5164abab63c2700c905f22c09a18125ee4de559
e9bf261a779c1b3a023189bef509579bad8b496dcfe5e96c19cf8cc8bea48a08
de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403
d761fe4d58fe68fc95d72871429f0fce6055389a58f81cf0a19eb905a96e1c38
d5483049dc32d1a57e759839930fe17fe31a5f513d24074710f98ec186f06777
d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609
d2bd6a05d1e30586216e73602a05367380ae66654cd0bccabb0414ef6810ab18
c943fe1b8e1b17ec379d33a6e5819a5736cb5de13564f86f1d3fba320ccebaa0
c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7
b59ab9147214bc1682006918692febed4ad37e1d305c5c80dc1ee461914eacd2
ac7598e2b4dd12ac584a288f528a94c484570582c9877c821c47789447b780ec
b3ad75eef9208d58a904030d44da22c59ce7bd47ed798b0a14b58330a1390fe8
a5c9a3518f072982404e68dc6a3dc90edebbf292fc1aca6962b6ccf64f4fe28c
a4a8486c26c050ed3b3eb02c826b1b67e505ada0bf864a223287d5b3f7a0cde0
a334a9c1a658f4ebef7ba336f9a27693030dc444509bd9fa8fdefe8aaae3a133
9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f
9a7f4ff5fd0a972eeda9293727f0eecdd7ce2cfe0a072cdf9d3402ee9c46a48e
8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0
7f5f1586b243f477c484c34fa6243c20b3ecf29700c6c17e23a4daf9360e2d2f
79e1cb66cb52852ca3f46a2089115e11fff760227ae0ac13f128dda067675fbc
5c42a4b474d7433bd9f1665dc914de7b3cc7fbdb9618b0322324b534440737d7
4ef9133773d596d1c888b0ffe36287a810042172b0af0dfad8c2b0c9875d1c65
4a7aeb6f510cf5d038e566a3ccd45e98a46463bb67eb34012c8e64444464b081
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
3f291d07a7b0596dcdf6f419e6b38645b77b551a2716649c12b8706d31228d79
3e9a60d5f6174bb1f1c973e9466f3e70c74c771043ee00688e50cac5e8efe185
2d40e892e059850ba708f8092523efeede759ecd6e52d8cb7752462fcdb6f715
2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0
2266f701f749d4f393b8a123bd7208ec7d5b18bbd22eb47853b906686327ad59
20549f237f3552570692e6e2bb31c4d2ddf8133c5f59f5914522e88239370514
1cbf897cccc22a1e6d6a12766adf0dcee4c103539add2c10c7906042e19519f4
19a8201c6a3063b897d696330c1b60bd97914514d2ae6a6c3c1796bec236724a
0ade87ba165a269fd4c03177226a148904e14bd328bdbb31799d2ead59d7c2fa
87effdf835590f85db589768b14adae2f76b59b2f33fae0300aef50575e6340d
139.99.85.106
Attack Patterns
NanoCore RAT
LV
Agent-Tesla
Bladabindi
Njw0rm
Pony - S0453
njRAT - S0385
VenomRAT
Remcos
DCRat
XWorm
AsyncRAT
T1036.003
T1021.004
T1573.002
T1574.002
T1059.005
T1555.003
T1497.001
T1106
T1105
T1027