APT-Grade PDFSider Malware Used by Ransomware Groups

A newly identified malware family with advanced capabilities is being used in targeted attacks, including by multiple ransomware groups, Resecurity reports.

Dubbed PDFSider, the threat was designed to deploy a backdoor with encrypted command-and-control (C&C) capabilities and provide attackers with functionality typically associated with APTs, such as cyberespionage and remote code execution (RCE).

The threat provides an interactive, hidden shell for command execution, and uses the Botan cryptographic library for authenticated encryption, exfiltrating command output via the encrypted communication channel.

PDFSider is sideloaded via the legitimate PDF24 Creator application, which is delivered to victims in a ZIP archive attached to spear-phishing emails. Operating primarily in memory, the malware sets up communication, harvests system information, and starts the backdoor loop.

Resecurity says PDFSider was used in an attack against a Fortune 100 corporation, in which the attackers used social engineering and QuickAssist to gain remote access.

However, multiple ransomware groups are ...