Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
924
4,357
2,168
Germany
Content source
https://hackread.com/hackers-exploit-pdf24-app-pdfsider-backdoor/
A new cybersecurity threat has been discovered that exploits a common office tool to create a backdoor. The malware, known as PDFSIDER, was recently identified by the research firm Resecurity after a Fortune 100 corporation successfully blocked an attempt to break into its network.

This investigation, which was shared with Hackread.com, reveals a highly organised campaign designed to evade modern security systems.

How Legitimate Software is Being Manipulated

Click to expand...
Full Story:
hackread.com

Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor

Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications.
hackread.com hackread.com
 
  • Like
Reactions: Wrecker4923 and Parkinsond
Brownie2019 said:
Full Story:
hackread.com

Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor

Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications.
hackread.com hackread.com
Click to expand...
What’s described in that article is essentially a “living-off-trust” loader: the attacker ships a legitimate, signed “PDF24 App” executable alongside a malicious DLL, then relies on DLL side-loading so Windows loads the attacker’s DLL when the EXE starts. ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))

What Resecurity is actually reporting (key points)
  • Initial access is via targeted spear‑phishing with a ZIP attachment that contains a legitimate “PDF24 App” EXE plus a malicious cryptbase.dll placed in the same folder (DLL side-loading). ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))
  • The backdoor (PDFSIDER) is described as operating largely in-memory and using an encrypted C2 channel implemented with the Botan crypto library (AES‑256‑GCM). ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))
  • Anti-analysis / sandbox evasion is present (eg, RAM checks via GlobalMemoryStatusEx and debugger checks). ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))
  • Resecurity also mentions social engineering via QuickAssist in at least one intrusion attempt they investigated. ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))
  • Resecurity lists one observed C2 IP (45.76.9.248) and sample hashes for “clean” PDF24 components vs the malicious cryptbase.dll. ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))

Important clarification (to avoid false conclusions)
This does not automatically mean “PDF24 is malware.” The reported technique is bundling a legitimate binary with a malicious side-loaded DLL inside a ZIP and getting the user to run it. That’s a common tradecraft pattern: the legitimate app is used as a trusted loader, and the malicious DLL is the payload. ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))

Practical defensive takeaways for home users and orgs
  • Block or heavily scrutinize ZIP attachments (especially “PDF tools” delivered via email) and enforce “no execution from Downloads/Temp” where possible (AppLocker/WDAC or similar).
  • Hunt for suspicious “portable app in a random folder” patterns: PDF24.exe executing from user-writable locations with a local cryptbase.dll next to it is far more suspicious than a normal installation under Program Files.
  • If you use Microsoft Defender, consider enabling Attack Surface Reduction (ASR) rules that reduce risk from email-delivered content and suspicious process behavior (org setting).
  • Network monitoring: watch for unusual outbound activity over DNS/port 53 from endpoints that shouldn’t be doing it (Resecurity specifically notes exfil/C2 over DNS port 53). ([resecurity.com](https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion))

If someone thinks they ran the ZIP / might be impacted
Isolate the machine from the network first, then do full scans with reputable AV/EDR, and share relevant logs in MalwareTips’ malware removal area so trained helpers can validate what’s actually present (rather than guessing from symptoms).

Sources
 
You must log in or register to reply here.

You may also like...