"The attack did not begin with a technical feat, but with convincing social manipulation. Employees of the affected company were contacted by telephone by attackers posing as IT support. The goal was to persuade victims to install Microsoft Quick Assist so attackers could remotely view and control their systems. This approach increased the chances of success because the tool used is legitimate and permitted within many organizations."
"The package also contains a malicious DLL that the program loads. This technique, known as DLL side-loading, allows malicious code to be executed without triggering security software alarms immediately. Once active, PDFSider runs largely in memory, leaving little trace on the hard drive. The malware process collects system information, assigns each infected machine a unique identification number, and sends this data via DNS traffic to infrastructure controlled by the attackers."
Ransomware operators used social-engineering phone calls to pose as IT support and convince employees to install Microsoft Quick Assist, granting remote control. Attackers distributed PDFSider via targeted phishing ZIP attachments containing a legitimate, digitally signed PDF24 Creator executable plus a malicious DLL, enabling DLL side-loading. PDFSider operates primarily in memory to avoid disk artifacts, behaves as a stealthy backdoor for long-term access, collects system details, assigns unique IDs to infected hosts, and transmits data over encrypted DNS channels. The malware has appeared alongside Qilin ransomware but is employed by multiple criminal groups as an initial access and persistence tool.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]