Attacks exploiting a design vulnerability in the Foxit PDF reader were launched by various threat actors to facilitate the delivery of several malicious payloads, including Agent Tesla, Remcos RAT, AsyncRAT, and XWorm, among others, reports The Hacker News.
Intrusions linked to suspected Indian state-sponsored threat operation DoNot Team, also known as Origami Elephant and APT-C-35, involved the distribution of a military-themed PDF document that facilitates the retrieval of a pair of executables and a downloader for another payload when opened using Foxit, a report from Check Point revealed. Such a technique has been used to deliver the XMRig and lolMiner cryptocurrency miner modules, as well as a Python-based stealer to enable browser credential and cookie exfiltration.
On the other hand, a malicious PDF document with a link redirecting to a trello[.]com-hosted attachment were leveraged by self-proclaimed ethical hacker silentkillertv to allow the deployment of Remcos RAT.
"The infection success and the low detection rate allow PDFs to be distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules," said Check Point researcher Antonis Terefos.
