New PDFSider malware targets finance sector with stealthy backdoor

A new malware strain, dubbed PDFSider, has been used by ransomware attackers to target a Fortune 100 company in the finance sector, delivering malicious payloads to Windows systems. The attackers employed social engineering tactics, impersonating technical support to trick employees into installing the Quick Assist tool. Cybersecurity firm Resecurity discovered PDFSider, describing it as a stealthy backdoor for long-term access with characteristics of advanced persistent threat (APT) tradecraft, Bleeping Computer reports.

PDFSider has been observed in Qilin ransomware attacks and is actively used by multiple ransomware actors. It is delivered via spearphishing emails containing a ZIP archive with a legitimate PDF24 Creator executable and a malicious cryptbase.dll file. This technique, known as DLL side-loading, allows the malicious DLL to execute with the privileges of the legitimate program, bypassing endpoint detection and response (EDR) systems. Attackers exploit vulnerabilities in the PDF24 software to load the malware. PDFSider operates stealthily, loading into memory with minimal disk artifacts and exfiltrating system information over DNS. It uses strong encryption with the Botan 3.0.0 cryptographic library and AES-256-GCM for secure command-and-control communications, and includes anti-analysis features.

The sophistication of PDFSider, with its focus on stealth and long-term access, suggests a move towards espionage-like tactics even within financially motivated attacks. This highlights the evolving threat landscape where attackers leverage software vulnerabilities and advanced techniques to maintain persistent access.

Source: Bleeping Computer