Fortune 100 Firm Hit by New PDFSider Windows Malware
▼ Summary
– A new malware strain called PDFSider was used in a ransomware attack against a finance sector company, delivered via spearphishing emails with a malicious DLL hidden alongside a legitimate, signed PDF24 Creator executable.
– The malware employs DLL side-loading, using the legitimate executable’s signature to bypass security, and loads directly into memory to minimize disk artifacts for stealth.
– PDFSider acts as a backdoor for long-term access, exfiltrating system data over DNS and using strong AES-256-GCM encryption for its command-and-control communications.
– It includes anti-analysis features like RAM checks and debugger detection to evade sandboxes, and researchers note its characteristics align more with espionage than typical financially-motivated malware.
– The malware is actively used by multiple ransomware groups, including Qilin, and exploits in common software are becoming easier for attackers to find due to AI-powered coding.
A major financial institution within the Fortune 100 has been targeted by a sophisticated cyberattack utilizing a previously unseen malware strain called PDFSider. This incident highlights a growing trend where ransomware groups employ advanced, stealthy backdoors to establish persistent access within corporate networks. The attack chain began with social engineering, where threat actors posed as technical support personnel to deceive employees into installing Microsoft’s legitimate Quick Assist tool, setting the stage for the deployment of the malicious payload.
Security researchers from Resecurity identified PDFSider during their investigation. They describe it as a highly evasive backdoor exhibiting characteristics commonly associated with advanced persistent threat (APT) operations, suggesting a focus on long-term espionage rather than just immediate financial gain. While initially observed in attacks linked to the Qilin ransomware operation, the backdoor is now reportedly being used by multiple distinct ransomware actors, indicating it has become a commoditized tool for initial network access.
The delivery method for this malware is a carefully crafted spearphishing email. The message contains a ZIP archive that holds a legitimate, digitally signed executable for the PDF24 Creator software. This legitimate file is bundled with a malicious Dynamic Link Library (DLL) named `cryptbase.dll`, which the application requires to run. When the victim launches the signed PDF24 executable, it automatically loads the malicious DLL in a technique known as DLL side-loading. This allows the attacker’s code to execute with the same permissions as the trusted application, effectively bypassing many endpoint detection and response (EDR) systems. In some campaigns, attackers used decoy documents, including one falsely attributed to a Chinese government entity, to lend credibility and entice the target to open the file.
Once active on a system, PDFSider operates with a strong emphasis on stealth and persistence. It loads directly into the computer’s memory, leaving very few traces on the hard drive. To communicate with its operators, the malware uses anonymous pipes to launch commands and exfiltrates stolen system data over DNS queries on port 53, a method often used to blend in with normal network traffic. Each infected machine is given a unique identifier for tracking.
A key feature of PDFSider is its robust encryption for command-and-control (C2) communications. It utilizes the Botan 3.0.0 cryptographic library with AES-256-GCM encryption, ensuring that all data exchanged between the malware and the attacker’s server remains confidential and tamper-proof. This level of cryptographic implementation is typically reserved for state-sponsored espionage tools or highly sophisticated criminal operations where maintaining covert access is paramount.
The malware also incorporates several anti-analysis and anti-sandbox techniques. These include checks for available RAM and debugger detection, allowing PDFSider to terminate itself if it senses it is running in a controlled security research environment rather than on a genuine target’s computer. Researchers warn that the rise of AI-assisted coding is making it easier for threat actors to identify and exploit vulnerabilities in legitimate software, like the one found in PDF24 Creator, to deploy such stealthy payloads. This incident serves as a critical reminder of the evolving threat landscape where the lines between financially motivated ransomware and espionage-focused intrusions continue to blur.
(Source: Bleeping Computer)
