A new malware strain named PDFSider has been deployed in attacks against a Fortune 100 financial company, serving as a stealthy backdoor for ransomware operators. The attackers used social engineering, impersonating technical support to trick employees into installing remote access tools. The malware is delivered via spearphishing emails containing a ZIP archive with a legitimate, signed PDF24 Creator executable and a malicious DLL designed for side-loading.
When the legitimate application runs, it loads the malicious DLL, granting the attacker code execution with the same privileges. This technique exploits vulnerabilities in the PDF24 software to bypass endpoint detection and response systems. PDFSider operates primarily in memory to minimize disk footprints and uses encrypted DNS tunneling for command-and-control communication, employing AES-256-GCM encryption and anti-analysis checks to evade detection.
Resecurity researchers note that PDFSider exhibits characteristics typical of advanced persistent threat (APT) tradecraft, emphasizing stealth and long-term access. While observed in Qilin ransomware attacks, the backdoor is reportedly used by multiple ransomware groups. This incident highlights the growing sophistication of cybercriminal tools and the use of legitimate, vulnerable software as a delivery mechanism for malicious payloads.
Read more...