{
  "name": "PDF \u201cFlawed Design\u201d Exploitation",
  "slug": "pdf-flawed-design-exploitation",
  "description": "Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as the default option, potentially leading users to ignore warnings and execute malicious code. This exploit has been actively utilized by various threat actors, from e-crime to espionage groups, taking advantage of its low detection rate. The campaigns leverage techniques like distributing malicious PDFs via links, employing legitimate hosting platforms, and achieving impressive attack chains.",
  "published": "2024-05-14T13:30:16+00:00",
  "created_at": "2024-05-14T13:30:16+00:00",
  "modified_at": "2024-05-14T16:03:11+00:00",
  "created_at_opencti": "2024-05-14T13:30:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-05-09",
    "2024-05-10",
    "2024-05-14",
    "agent-tesla",
    "asyncrat",
    "bladabindi",
    "campaigns",
    "dcrat",
    "exploitation",
    "foxit",
    "lv",
    "malware",
    "nanocore rat",
    "njrat",
    "njw0rm",
    "pdf",
    "pony",
    "remcos",
    "venomrat",
    "xworm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "139.99.85.106"
      },
      {
        "id": "",
        "name": "fc330bb132a345af05feb0d275eeef29c7a439a04223757f33360393cf975ca9"
      },
      {
        "id": "",
        "name": "f002712b557a93da23bbf4207e5bc57cc5e4e6e841653ffab59deb97b19f214e"
      },
      {
        "id": "",
        "name": "ecb4f5f0ee0cda289056f2f994c061d53cfbc8ac413f2ca4da8864c68f0a23f6"
      },
      {
        "id": "",
        "name": "ee42cf45fff12bcc9e9262955470bfed810f3530e651fddb054456264635d9d2"
      },
      {
        "id": "",
        "name": "eb87ec49879dc44b6794bb70bd6c706e74694e4c2bbc1926dd4cff42e5b63cc6"
      },
      {
        "id": "",
        "name": "e32d2966a22243f346e06d4da5164abab63c2700c905f22c09a18125ee4de559"
      },
      {
        "id": "",
        "name": "e9bf261a779c1b3a023189bef509579bad8b496dcfe5e96c19cf8cc8bea48a08"
      },
      {
        "id": "",
        "name": "de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403"
      },
      {
        "id": "",
        "name": "d761fe4d58fe68fc95d72871429f0fce6055389a58f81cf0a19eb905a96e1c38"
      },
      {
        "id": "",
        "name": "d5483049dc32d1a57e759839930fe17fe31a5f513d24074710f98ec186f06777"
      },
      {
        "id": "",
        "name": "d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609"
      },
      {
        "id": "",
        "name": "d2bd6a05d1e30586216e73602a05367380ae66654cd0bccabb0414ef6810ab18"
      },
      {
        "id": "",
        "name": "c943fe1b8e1b17ec379d33a6e5819a5736cb5de13564f86f1d3fba320ccebaa0"
      },
      {
        "id": "",
        "name": "c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7"
      },
      {
        "id": "",
        "name": "b59ab9147214bc1682006918692febed4ad37e1d305c5c80dc1ee461914eacd2"
      },
      {
        "id": "",
        "name": "ac7598e2b4dd12ac584a288f528a94c484570582c9877c821c47789447b780ec"
      },
      {
        "id": "",
        "name": "b3ad75eef9208d58a904030d44da22c59ce7bd47ed798b0a14b58330a1390fe8"
      },
      {
        "id": "",
        "name": "a5c9a3518f072982404e68dc6a3dc90edebbf292fc1aca6962b6ccf64f4fe28c"
      },
      {
        "id": "",
        "name": "a4a8486c26c050ed3b3eb02c826b1b67e505ada0bf864a223287d5b3f7a0cde0"
      },
      {
        "id": "",
        "name": "a334a9c1a658f4ebef7ba336f9a27693030dc444509bd9fa8fdefe8aaae3a133"
      },
      {
        "id": "",
        "name": "9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f"
      },
      {
        "id": "",
        "name": "9a7f4ff5fd0a972eeda9293727f0eecdd7ce2cfe0a072cdf9d3402ee9c46a48e"
      },
      {
        "id": "",
        "name": "8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0"
      },
      {
        "id": "",
        "name": "7f5f1586b243f477c484c34fa6243c20b3ecf29700c6c17e23a4daf9360e2d2f"
      },
      {
        "id": "",
        "name": "79e1cb66cb52852ca3f46a2089115e11fff760227ae0ac13f128dda067675fbc"
      },
      {
        "id": "",
        "name": "5c42a4b474d7433bd9f1665dc914de7b3cc7fbdb9618b0322324b534440737d7"
      },
      {
        "id": "",
        "name": "4ef9133773d596d1c888b0ffe36287a810042172b0af0dfad8c2b0c9875d1c65"
      },
      {
        "id": "",
        "name": "4a7aeb6f510cf5d038e566a3ccd45e98a46463bb67eb34012c8e64444464b081"
      },
      {
        "id": "",
        "name": "4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379"
      },
      {
        "id": "",
        "name": "3f291d07a7b0596dcdf6f419e6b38645b77b551a2716649c12b8706d31228d79"
      },
      {
        "id": "",
        "name": "3e9a60d5f6174bb1f1c973e9466f3e70c74c771043ee00688e50cac5e8efe185"
      },
      {
        "id": "",
        "name": "2d40e892e059850ba708f8092523efeede759ecd6e52d8cb7752462fcdb6f715"
      },
      {
        "id": "",
        "name": "2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0"
      },
      {
        "id": "",
        "name": "2266f701f749d4f393b8a123bd7208ec7d5b18bbd22eb47853b906686327ad59"
      },
      {
        "id": "",
        "name": "20549f237f3552570692e6e2bb31c4d2ddf8133c5f59f5914522e88239370514"
      },
      {
        "id": "",
        "name": "1cbf897cccc22a1e6d6a12766adf0dcee4c103539add2c10c7906042e19519f4"
      },
      {
        "id": "",
        "name": "19a8201c6a3063b897d696330c1b60bd97914514d2ae6a6c3c1796bec236724a"
      },
      {
        "id": "",
        "name": "0ade87ba165a269fd4c03177226a148904e14bd328bdbb31799d2ead59d7c2fa"
      },
      {
        "id": "",
        "name": "87effdf835590f85db589768b14adae2f76b59b2f33fae0300aef50575e6340d"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:ec8d7c34e24a6e7a",
        "name": "NanoCore RAT",
        "slug": "nanocore-rat"
      },
      {
        "id": "legacy:malware:4d73c29a4561048c",
        "name": "LV",
        "slug": "lv"
      },
      {
        "id": "349cc8bf-bfd8-44f8-93ee-528ebe6c40fe",
        "name": "Agent-Tesla",
        "slug": "agent-tesla-39af750e"
      },
      {
        "id": "legacy:malware:0a3ffd661bac67a8",
        "name": "Bladabindi",
        "slug": "bladabindi"
      },
      {
        "id": "legacy:malware:2066823fa37e1028",
        "name": "Njw0rm",
        "slug": "njw0rm"
      },
      {
        "id": "legacy:malware:a0cad3378258f106",
        "name": "Pony - S0453",
        "slug": "pony-s0453"
      },
      {
        "id": "legacy:malware:7b4be469c4b355a9",
        "name": "njRAT - S0385",
        "slug": "njrat-s0385"
      },
      {
        "id": "legacy:malware:bfb472af0835c358",
        "name": "VenomRAT",
        "slug": "venomrat"
      },
      {
        "id": "legacy:malware:196436899fefaba3",
        "name": "Remcos",
        "slug": "remcos"
      },
      {
        "id": "legacy:malware:fbd3667f9504e6d5",
        "name": "DCRat",
        "slug": "dcrat"
      },
      {
        "id": "legacy:malware:8932c7ca64048d7b",
        "name": "XWorm",
        "slug": "xworm"
      },
      {
        "id": "legacy:malware:4fcb3099e8f330ca",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      }
    ],
    "attack_patterns": [
      {
        "id": "595179f5-1fe1-4eaf-9b9a-65db3ddadab7",
        "name": "T1036.003"
      },
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/",
    "https://otx.alienvault.com/pulse/66438388647c6cb1e1aea2d3"
  ]
}