EXPMON detected "zero-day" PDF sample attempting to exploit Foxit Reader's bad design of security warning dialogs

Shortly after my EXPMON Public announcement on April 7, I was notified by a malware researcher that he/she submitted a PDF sample and it got detected as red Malicious. And, even, the Detection Details says that it's potentially a "zero-day".

(P.S. I don't check the system often, if you're an user and happens to find something you could ping me on Twitter/X or email at contact@expmon.com)

Check out the original submission here.

https://pub.expmon.com/analysis/15986/

Looking into the details you would note that there's an "Indicator" called "suspicious process created by main" detected in the environment named "win7sp1(update20180524)_foxitreader(2023.2.0.21408)[foxitreader]".

Technically speaking, this means that the system detected a suspicious process created from the main process (in this env, it's the Foxit Reader process) in the env that runs Foxit Reader version 2023.2.0.21408 on Windows 7. And that our Detection Logic concluded that this is potentially a zero-day exploit, as the Detection Details says.

Malicious - exploitation activity detected in newer environment, potential zero-day attack

You know if the system reports some "zero-day" detection I have an obligation to analyze the sample manually. So I downloaded the sample from the system and tested it in a local env which has the latest Foxit Reader installed. Here are the details.

When I opened the PDF file with Foxit Reader, I got the following security warning dialog.

In the background, there's no suspicious process running. Looks no problem? However, if you look it carefully, you would find out that the *default option* for this dialog is “Trust this document one time only - OK”. That means that a careless user would click the “OK” button (or simply press the "Enter" key) and that would ignore the security warning. And that's exactly what our system “simulates” in the sandbox environment for this sample.

Let’s go ahead, after the first security warning dialog, I got the second one, see the following:

In the background, there's still no suspicious process running at this moment. But this 2nd warning dialog also has the bad UI design -  the *default option* for this dialog is "Open", instead of “Do Not Open”. That means that a careless user would click the "Open" (or simply press the "Enter" key) and that would ignore this security warning, again.

After I clicked the "Open" on the 2nd warning dialog, I observed the "cmd.exe" process running, with malicious parameters.

Apparently, it’s trying to download a .bat file from an attacker-controlled server and execute it.

If we look into the content of the PDF sample, we could confirm our dynamic analysis and find out that this is actually a very simple (but malicious) PDF sample.

Image copied directly from @SquiblydooBlog’s tweet

It has a lot of the ‘:’characters at the beginning of the file, I personally guess it's for bypassing some static-analyzing Anti-virus software.

Please note that I tested the sample on Adobe Reader too - as our EXPMON system did as well (for every .pdf sample, it will be tested in both Adobe Reader and Foxit Reader, as of the current standard version). On Adobe Reader, the attempt to run external commands (through the “/Launch”) is totally disabled. So it's safe for Adobe Reader for this malicious sample.

Is this a zero-day exploit?

Well, if, by strict speaking/definition, this is indeed a PDF zero-day exploit, as it works on the latest Foxit Reader (version 2024.1.0.23997, as of writing). However, this is somewhat a "lame" one because the user/victim needs to “allow it” twice to achieve code execution. The key point here is the default options for these two security warning dialogs are both for "allowing it", that would increase the possibility of successful exploitation (for careless users). That's what this "zero-day" sample is trying to exploit, as our analysis shows.

Therefore, I wouldn't consider this as an FP of the EXPMON system as it detects this sample as “zero-day”.Instead, I consider it a success story.:)

So, stay safe & be vigilant, Foxit Reader users! I will forward this blog post to the vendor of Foxit Reader. If they have any update say fixing their bad designs of the dialogs, I will update here.

[Update on April 15, 2024]

The vendor, Foxit Software, has replied to my email. It seems to me that they've acknowledged the issues and they will address them, but not going to release a security advisory. Anyway.. I copied the email directly as the following, as there's no need to redact for personal information.

Foxit Reader users are recommended to stay vigilant about suspicious PDF files until an official fix is out.

Additional Information

As of writing, on VT, this sample has a 10/60 detection ratio.

Sample was first saw on VT on March 3, 2024.

And I just got this information related to threat intel from the original sample submitter @SquiblydooBlog:

"it came in an email pretending to be a South Korean legal group, it also contained a few malicious other payloads."

It seems to me that the TA has been trying to leverage this “zero-day” to target Foxit Reader users in South Korea. But please note that this is just my personal impression based on the information I have.

Conclusion

I hope that through this quick analysis of this real-world example, security defenders in this community will better understand how the EXPMON system can help in fighting against advanced zero-day or unknown exploits.

I also encourage users to look at the "Indicators" the system produces - they're very helpful information. Sometimes, even when the Overall Detection Result says "Clean/Undetected", you may still find some suspicious information in the Indicators.

As a side note, please also note that if you're a pro, you could also use our helper tool expmon_sample_submit.py to submit samples. There are some advantages to using the tool - not just it could do a lot of submissions automatically, but also it could obtain accurate raw analysis logs, and sometimes, that information helps.

Opening EXPMON for Everyone

Recently during the winter holidays, I "refreshed" the EXPMON system that my friend and I developed in 2021 (well, we just added a really simple web UI:)). The EXPMON system is mainly a sandbox-based system but with static analysis modules. Unlike all the other sandboxes that I know, EXPMON is specifically designed and built for detecting advanced file-based exploits. Here, "advanced" means unknown (undetectable by other tools) or zero-days (exploiting unpatched vulnerabilities). EXPMON doesn't process malware or anything that does not exploit vulnerabilities. In my opinion, the key difference is that EXPMON was built solely from the perspective of vulnerability research, rather than malware detection.

It's hard to explain all the differences here, so I've authored a document sharing the Methodology and Architecture - please read it if you’re interested in using the system. Personally, I want EXPMON to be as open as possible so that users understand what it can do (and what it can't). EXPMON should not be considered as a "replacement" of any kind of existing threat detection products, but as a cutting-edge "add-on" tool for users concerned about being targeted by advanced (file-based) exploits such as zero-days or hard-to-detect exploits. Look at all those emails / attachments your organizations receive every day - who knows what those files (emails are also files) are really doing?

In fact, I've been personally using the system for about two years, and it has been incredibly helpful to me. Not only do I drop suspicious samples into the system for analysis, but it has also greatly aided my research on apps such as Microsoft Office. For instance, when I encounter a suspicious RTF sample, manually testing it in various environments would be a long and arduous process. With this system, I could accurately observe the Word process activities, even across different environments. Moreover, the indicators reported by the system help me quickly identify any suspicious elements in the sample. On the other hand, with numerous samples analyzed and doing meaningful Big Data analytics, it has also assisted me in understanding and classifying normal behaviors versus abnormal ones, all through automated processes.

Anyway.. I wondered, with this newly-developed web UI, why not just open it for everyone? Personally, it would be great for me to see something I spent quite a lot of time on in 2021 benefiting the security defense community at large. Especially I failed to see a "making sense" exploit detection system or a system designed from vulnerability exploitation perspective within the community.

Therefore, let me introduce you to EXPMON Public. From now on, everyone can access the following URL and submit samples to the system for advanced exploit detection.:)

https://pub.expmon.com

I've also authored another document showing how to use the Web UI as well as the Web APIs, please check it here. Additionally, we've released a helper tool called “expmon_sample_submit.py”, which assists users in automatically submitting samples to the EXPMON system and obtaining analysis results, via the Web APIs. Please check it out on our GitHub repository https://github.com/EXPMON/PubTools.

Here are some notes:

1. Make sure to read the Methodology and Architecture and Web UI & APIs documents before using the system. So you know what you're doing and what results you should expect.

One important thing to note is that the system only focuses on exploits, with its main goal being the detection of unknown and zero-day exploits. It does not detect other types of threats, such as .exe malware or very outdated exploits (e.g., CVE-2012-0158). Therefore, you should not rely on the system to determine whether a sample is malicious or not. Instead, it serves as an advanced "add-on" feature to identify advanced file-based exploits.

That also means that the vast majority of submissions will likely be classified as "CLEAN" (doesn't mean they're not malicious, though). The thing is, one day, if it detects your sample as something like "Malicious - potential zero-day exploit", you'll go "whoa!" :)

I will also perform regular Big Data analytics based on the “environment-binding” data produced by the system and those may find hard-to-detect exploits too. In fact, this is one of the most advantages that the system provides - providing meaningful Big Data analytics thanks to the “environment-binding” architecture!

2. Currently, the supported file types and apps are listed at here. We may add more supported file types or apps in future, if needed (suggestions? contact me:)).

The current supported file types include all Word, Excel, and PowerPoint file types, Outlook email file types (.msg and .eml), PDFs (for both Adobe Reader and Foxit Reader), as well as some newer Office file types such as MS-Access (.accdb, .mdb), Publisher (.pub), and OneNote (.one). There are some advanced features depending on the file type. For example, when you submit a .msg or .eml sample, not only will the email file be analyzed in Outlook, but also the attachments (e.g., .rtf) will be analyzed.

3. Because the file types EXPMON deals with are mostly Office documents and PDFs, they may contain sensitive information. Please ensure that you have permission to share the samples before submitting them. EXPMON assumes no legal responsibility for any damage it may cause.

Please also note that this is a public system, and everyone can see what you have submitted through the “Recent” page, although they cannot download the samples (if not being hacked :P). However, you should be aware that all submitted samples, especially malicious ones, may be shared with the security defense community, for good purposes.

If you accidentally submitted a sample and wish to remove it, please contact at contact@expmon.com. However, I cannot guarantee a timely response.

Read our (simple) Terms of Service and Privacy Policy here.

If you want to use the system for advanced exploit detection but your samples can't be shared, this is understandable. Please contact contact@expmon.com to see if it's doable to deploy the system in your network.

4. If you want to submit a lot of samples, feel free to use the Web APIs (check the instructions). But please don't “DoS” us or do anything malicious. :)

In fact, we've released a helper tool named "expmon_sample_submit.py" for automated submission, check it at our GitHub repository.

5. You may note that the Controller is currently connected to only 4 VMs, so it can't process many samples simultaneously. However, if you've already submitted samples, they will be in the pending list, although it may take longer to receive the results.

Another small note: you may notice that the first sample may take longer to analyze. This is because I've enabled the "shutdown the VM server if no sample is received within 15 minutes" feature. For the first sample, the VM server needs to be powered on, so it takes more time.

The system is hosted in a place in Canada, and the system or the network may not be that stable. Well.. hopefully it will work for some time!

Anyway, you know how to contact me if you have something to say about the system.

That's it. Enjoy your hunting for advanced exploits!:)

Cheers,

Haifei