A newly identified malware family with advanced capabilities is being used in targeted attacks, including by multiple ransomware groups, Resecurity reports.
Dubbed PDFSider, the threat was designed to deploy a backdoor with encrypted command-and-control (C&C) capabilities and provide attackers with functionality typically associated with APTs, such as cyberespionage and remote code execution (RCE).
The threat provides an interactive, hidden shell for command execution, and uses the Botan cryptographic library for authenticated encryption, exfiltrating command output via the encrypted communication channel.
PDFSider is sideloaded via the legitimate PDF24 Creator application, which is delivered to victims in a ZIP archive attached to spear-phishing emails. Operating primarily in memory, the malware sets up communication, harvests system information, and starts the backdoor loop.
Resecurity says PDFSider was used in an attack against a Fortune 100 corporation, in which the attackers used social engineering and QuickAssist to gain remote access.
However, multiple ransomware groups are already using it in attacks as a payload delivery method, the cybersecurity firm notes.
A multi-stage environment validation routine allows PDFSider to detect virtual environments and analysis tools, which make it attractive to cybercriminals.
It also includes AV/EDR evasion, and the use of DLL sideloading for delivery also helps threat actors evade detection. In fact, Resecurity notes, both APTs and cybercriminals appear to have favored this code execution technique in recent attacks, and recent reports from Acronis and Trellix confirm it.
A popular technique for security solutions bypass and code execution on Windows systems, DLL sideloading relies on abusing a vulnerable, legitimate application to load malicious DLLs and achieve persistence or escalate privileges.
APT and cybercrime groups abusing DLL sideloading
The China-linked APT Mustang Panda, Acronis reports, has used DLL sideloading in a recent campaign targeting US government and policy-related entities in the context of the US-Venezuela conflict.
The state-sponsored espionage group has relied on spear-phishing emails to deliver a ZIP archive containing a legitimate executable and a hidden DLL designed to be sideloaded for the execution of a custom C++ backdoor named LotusElite.
The backdoor can spawn a shell to enable remote code execution (RCE) and the retrieval of command output in real time. Based on received commands, LotusElite can enumerate, create, and modify files.
The implant, Acronis notes, appears to be used as a staging or beaconing server, as the attackers were seen connecting multiple times to the infected endpoints.
The use of DLL sideloading in fresh Mustang Panda attacks, however, is not surprising, as the APT is known for employing the technique for payload execution and detection evasion.
Last week, Trellix detailed the abuse of the legitimate Ahost.exe utility, a component of the open source C-ares library, for DLL sideloading in attacks involving commodity malware such as information stealers and remote access trojans (RATs).
Likely relying on phishing and using localized filenames in Arabic, English, Farsi, Portuguese, and Spanish, the attackers abused DLL sideloading to infect victims with malware families such as AgentTesla, FormBook, Lumma Stealer, Vidar, CryptBot, Remcos, QuasarRAT, DCRat, and XWorm.
Related: Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks
Related: Chinese APT Exploits Unpatched Windows Flaw in Recent Attacks
Related: Russian Espionage Group Using Ransomware in Attacks
Related: Vietnamese Hackers Distribute Malware via Fake AI-Themed Websites
