Ransomware attackers targeting a Fortune 100 company in the finance sector used a new malware strain, dubbed PDFSider, to deliver malicious payloads on Windows systems.
The attackers employed social engineering in their attempt to gain remote access by impersonating technical support workers and to trick company employees into installing Microsoft's Quick Assist tool.
Researchers at cybersecurity company Resecurity found PDFSider during an incident response and describe it as a stealthy backdoor for long-term access, noting that it shows "characteristics commonly associated with APT tradecraft."
Legit .EXE, malicious .DLL
A Resecurity spokesperson told BleepingComputer that PDFSider has been seen deployed in Qilin ransomware attacks. However, the company's threat hunting team notes that the backdoor is already "actively used" by multiple ransomware actors to launch their payloads.
The PDFSider backdoor is delivered via spearphishing emails that carry a ZIP archive with a legitimate, digitally signed executable for the PDF24 Creator tool from Miron Geek Software GmbH. However, the package also includes a malicious version of a DLL (cryptbase.dll), which the application requires to function properly.
When the executable runs, it loads the attacker's DLL file, a technique known as DLL side-loading, and provides code execution on the system.
The executable's valid signature
Source: Resecurity
In other cases, the attacker attempts to trick email recipients into launching the malicious file by using decoy documents that appear to be tailored to the targets. In one example, they used a Chinese government entity as the author.
... continue reading