🏠

🤯 Ransomware Shadow: A Deadly Cyber Attack 💥

Tech

🎧English flagFrench flagGerman flagSpanish flag

PDFSider: A New Stealthy Ransomware Threat Emerges
Researchers at Resecurity discovered a novel ransomware strain, PDFSider, targeting a Fortune 100 finance company. This malware, characterized as a stealthy backdoor, exhibits characteristics aligning with known Advanced Persistent Threat (APT) tradecraft and has been linked to ongoing Qilin ransomware attacks. Legitimate EXE spokesperson, Legit.EXE, confirmed its active deployment by multiple ransomware actors.

Spearphishing Tactics Unleash the Malice
The attackers employed sophisticated social engineering techniques, impersonating technical support personnel to gain remote access. This manipulation occurred through targeted spearphishing emails containing a ZIP archive. This archive included a digitally signed executable for the PDF24 Creator tool, coupled with a malicious DLL, cryptbase.dll, leveraging DLL side-loading to execute the attacker’s code.

Technical Deep Dive: PDFSider's Stealth Capabilities
PDFSider is designed for prolonged covert access and flexible remote command execution. It loads directly into memory, minimizing disk artifacts and utilizing anonymous pipes for command execution via CMD. Infected hosts are assigned unique identifiers and collect system information, exfiltrating it to the attacker’s VPS server over DNS (port 53).

Encryption and Communication: A Secure Backdoor
To ensure secure communication, PDFSider employs the Botan 3.0.0 cryptographic library alongside AES-256-GCM for encryption, utilizing Authenticated Encryption with Associated Data (AEAD) in GCM mode for data authentication. This sophisticated implementation underscores its role as a remote shell malware, prioritizing the integrity and confidentiality of command exchanges.

Anti-Analysis Measures: Defending Against Detection
Recognizing the risk of detection in sandbox environments, PDFSider incorporates multiple anti-analysis mechanisms, including RAM size checks and debugger detection, designed to terminate execution early when suspicious activity is identified. This demonstrates a deliberate strategy to evade detection and maintain covert access.

This article is AI-synthesized from public sources and may not reflect original reporting.

Related Articles