PDFSIDER, a sophisticated malware, is actively being used by cybercriminals to bypass antivirus and EDR systems by exploiting vulnerabilities in PDF24 software. The malware establishes a backdoor with minimal artifacts, as analyzed by Resecurity.
Delivery and Exploitation Method
PDFSIDER is delivered through spear-phishing emails containing a seemingly harmless ZIP archive. The archive disguises a trojanized executable mimicking the PDF24 Creator. Upon execution, this EXE file carries out malicious tasks stealthily, aided by DLL sideloading, which involves substituting the legitimate cryptbase.dll with a malicious version.
This execution is masked by a valid digital signature, enabling it to evade signature-based detection methods. The underlying strategy exploits the system’s preference for local libraries over system libraries.
Technical Behavior and Anti-Detection
Once activated, PDFSIDER employs the Botan 3.0.0 cryptographic library using AES-256 GCM to maintain encrypted communications. The malware primarily operates in memory, reducing detectable disk artifacts. It establishes communication channels through hidden cmd.exe processes while using system calls to gather pertinent system details like usernames and process identifiers.
To evade analysis, PDFSIDER incorporates checks against virtual environments and debugging tools, terminating prematurely in sandboxed settings. Such tactics underline its adaptability in hostile environments.
Indicators and Defensive Measures
Key indicators of compromise include malicious file variants of cryptbase.dll. Users are advised to implement strict controls on executable files and scrutinize email attachments rigorously. Measures include scrutinizing DNS queries and analyzing encrypted traffic patterns to identify command and control channels (C2).
- cryptbase.dll: Malicious version identified as 298cbfc6a5f6fa041581233278af9394.
Incorporating EDR configurations to track DLL sideloading activities and non-system module loadings is recommended.
Mitigation through MITRE ATT&CK
PDFSIDER's techniques are mapped to MITRE ATT&CK framework: It leverages methods such as DLL side-loading (T1574.002), Windows command shell execution (T1059.003), and evasion of debugging tools (T1622). System information discovery (T1082) and protocol-based command and control (T1095) are also key strategies implemented by the malware.
Resecurity's findings provide a comprehensive view of PDFSIDER's threat, emphasizing the need for heightened vigilance and preventive controls.
