Ransomware attackers targeting a Fortune 100 company in the finance sector used a new malware strain, dubbed PDFSider, to deliver malicious payloads on Windows systems.
To achieve initial access, the attackers relied on social engineering to gain remote access by impersonating technical support workers and tricking company employees into installing Microsoft’s Quick Assist tool.
Meanwhile, researchers at cybersecurity company Resecurity discovered PDFSider during an incident response and describe it as a stealthy backdoor for long-term access, noting that it shows “characteristics commonly associated with APT tradecraft.”
A Resecurity spokesperson told BleepingComputer that attackers have deployed PDFSider in Qilin ransomware attacks. However, the company’s threat hunting team also notes that multiple ransomware actors already “actively use” the backdoor to launch their payloads.
Malware Delivery Mechanism
The attackers deliver the PDFSider backdoor through spearphishing emails that carry a ZIP archive containing a legitimate, digitally signed executable for the PDF24 Creator tool from Miron Geek Software GmbH. However, the archive also includes a malicious version of a required DLL file, cryptbase.dll.
When the executable runs, it loads the attacker-controlled DLL using a technique known as DLL side-loading and enables code execution on the system.
The executable’s valid signature
Source: Resecurity
In other cases, the attackers attempt to trick email recipients into launching the malicious file by embedding decoy documents that appear tailored to the targets. For example, in one observed case, they used a Chinese government entity as the document author.
Once launched, the DLL executes with the same privileges as the executable that loads it.
“The EXE file has a legitimate signature; however, the PDF24 software has vulnerabilities that attackers were able to exploit to load this malware and bypass EDR systems effectively,” Resecurity explains.
According to the researchers, cybercriminals now find it easier to identify exploitable software vulnerabilities due to the rise of AI-powered coding tools.
Stealthy Execution and Data Exfiltration
PDFSider loads directly into memory, leaves minimal disk artifacts, and uses anonymous pipes to launch commands via CMD.
Next, the malware assigns each infected host a unique identifier, collects system information, and exfiltrates the data to the attacker’s VPS server over DNS using port 53.
To protect its command-and-control (C2) communications, PDFSider uses the Botan 3.0.0 cryptographic library and AES-256-GCM encryption, decrypting incoming data in memory to reduce its footprint on the compromised host.
Moreover, the malware authenticates data using Authenticated Encryption with Associated Data (AEAD) in GCM mode.
“This type of cryptographic implementation is typical of remote shell malware used in targeted attacks, where maintaining the integrity and confidentiality of communications is critical,” Resecurity notes.
PDFSider operational overview
Source: Resecurity
In addition, the malware incorporates several anti-analysis mechanisms, including RAM size checks and debugger detection, allowing it to exit early when it detects signs of sandbox execution.
Based on its assessment, Resecurity concludes that PDFSider aligns more closely with “espionage tradecraft than financially motivated malware” and functions as a stealthy backdoor designed to maintain long-term covert access while enabling flexible remote command execution and encrypted communications.
If you’d like, I can also optimize this for SEO, tighten it for publication, or adapt the tone for a threat report or executive briefing.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
