Back

PDF “Flawed Design” Exploitation

May 14, 2024, 6:03 p.m.

Tags

malware
xworm
campaigns
remcos
asyncrat
2024-05-09
2024-05-14
njrat
dcrat
pdf
venomrat
exploitation
nanocore rat
pony
bladabindi
foxit
agent-tesla
njw0rm
lv
2024-05-10

External References

https://research.checkpoint.com/

https://otx.alienvault.com/

Description

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as the default option, potentially leading users to ignore warnings and execute malicious code. This exploit has been actively utilized by various threat actors, from e-crime to espionage groups, taking advantage of its low detection rate. The campaigns leverage techniques like distributing malicious PDFs via links, employing legitimate hosting platforms, and achieving impressive attack chains.

Date

Published Created Modified
May 14, 2024, 3:30 p.m. May 14, 2024, 3:30 p.m. May 14, 2024, 6:03 p.m.

Indicators

fc330bb132a345af05feb0d275eeef29c7a439a04223757f33360393cf975ca9

f002712b557a93da23bbf4207e5bc57cc5e4e6e841653ffab59deb97b19f214e

ecb4f5f0ee0cda289056f2f994c061d53cfbc8ac413f2ca4da8864c68f0a23f6

ee42cf45fff12bcc9e9262955470bfed810f3530e651fddb054456264635d9d2

eb87ec49879dc44b6794bb70bd6c706e74694e4c2bbc1926dd4cff42e5b63cc6

e32d2966a22243f346e06d4da5164abab63c2700c905f22c09a18125ee4de559

e9bf261a779c1b3a023189bef509579bad8b496dcfe5e96c19cf8cc8bea48a08

de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403

d761fe4d58fe68fc95d72871429f0fce6055389a58f81cf0a19eb905a96e1c38

d5483049dc32d1a57e759839930fe17fe31a5f513d24074710f98ec186f06777

d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609

d2bd6a05d1e30586216e73602a05367380ae66654cd0bccabb0414ef6810ab18

c943fe1b8e1b17ec379d33a6e5819a5736cb5de13564f86f1d3fba320ccebaa0

c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7

b59ab9147214bc1682006918692febed4ad37e1d305c5c80dc1ee461914eacd2

ac7598e2b4dd12ac584a288f528a94c484570582c9877c821c47789447b780ec

b3ad75eef9208d58a904030d44da22c59ce7bd47ed798b0a14b58330a1390fe8

a5c9a3518f072982404e68dc6a3dc90edebbf292fc1aca6962b6ccf64f4fe28c

a4a8486c26c050ed3b3eb02c826b1b67e505ada0bf864a223287d5b3f7a0cde0

a334a9c1a658f4ebef7ba336f9a27693030dc444509bd9fa8fdefe8aaae3a133

9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f

9a7f4ff5fd0a972eeda9293727f0eecdd7ce2cfe0a072cdf9d3402ee9c46a48e

8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0

7f5f1586b243f477c484c34fa6243c20b3ecf29700c6c17e23a4daf9360e2d2f

79e1cb66cb52852ca3f46a2089115e11fff760227ae0ac13f128dda067675fbc

5c42a4b474d7433bd9f1665dc914de7b3cc7fbdb9618b0322324b534440737d7

4ef9133773d596d1c888b0ffe36287a810042172b0af0dfad8c2b0c9875d1c65

4a7aeb6f510cf5d038e566a3ccd45e98a46463bb67eb34012c8e64444464b081

4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

3f291d07a7b0596dcdf6f419e6b38645b77b551a2716649c12b8706d31228d79

3e9a60d5f6174bb1f1c973e9466f3e70c74c771043ee00688e50cac5e8efe185

2d40e892e059850ba708f8092523efeede759ecd6e52d8cb7752462fcdb6f715

2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0

2266f701f749d4f393b8a123bd7208ec7d5b18bbd22eb47853b906686327ad59

20549f237f3552570692e6e2bb31c4d2ddf8133c5f59f5914522e88239370514

1cbf897cccc22a1e6d6a12766adf0dcee4c103539add2c10c7906042e19519f4

19a8201c6a3063b897d696330c1b60bd97914514d2ae6a6c3c1796bec236724a

0ade87ba165a269fd4c03177226a148904e14bd328bdbb31799d2ead59d7c2fa

87effdf835590f85db589768b14adae2f76b59b2f33fae0300aef50575e6340d

139.99.85.106

Attack Patterns

NanoCore RAT

LV

Agent-Tesla

Bladabindi

Njw0rm

Pony - S0453

njRAT - S0385

VenomRAT

Remcos

DCRat

XWorm

AsyncRAT

T1036.003

T1021.004

T1573.002

T1574.002

T1059.005

T1555.003

T1497.001

T1106

T1105

T1027