Overview
- The campaign delivers a ZIP attachment containing a digitally signed PDF24 executable and a malicious cryptbase.dll to trigger DLL side-loading.
- Resecurity identified the malware during an incident at a Fortune 100 financial firm where attackers impersonated technical support and pushed Microsoft's Quick Assist.
- PDFSIDER executes largely in memory with no visible console, runs commands via cmd.exe, and employs anti-VM and debugger checks to thwart analysis.
- The backdoor uses the Botan library with AES-256-GCM for an encrypted C2 channel and exfiltrates data over DNS on port 53 to leased VPS infrastructure.
- Resecurity classifies the tradecraft as APT-like and reports use in Qilin ransomware attacks and adoption by multiple ransomware actors, while any links to espionage groups such as Mustang Panda remain unconfirmed.