A technical analysis by Resecurity found that ransomware attackers targeting a Fortune 100 finance company deployed a new Windows backdoor named PDFSider to deliver malicious payloads and maintain covert access.
KEY FACTS
- Malware PDFSider Windows backdoor
- Target Fortune 100 finance firm
- Delivery DLL side-loading using signed PDF24 Creator EXE in ZIP
- Use Linked to Qilin and used by multiple ransomware actors
- Communication DNS exfiltration and AES-256-GCM encrypted C2
The backdoor is delivered in spearphishing ZIP attachments that contain a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll. When the executable runs it loads the attacker’s DLL through DLL side-loading and executes code under the EXE’s privileges.
PDFSider loads code directly into memory to reduce disk artifacts. It uses anonymous pipes to launch commands via CMD and assigns each infected host a unique identifier before collecting system information.
Command and control traffic is sent to an attacker VPS over DNS on port 53. Communications use the Botan 3.0.0 cryptographic library and AES-256-GCM with AEAD in GCM mode. Incoming data is decrypted in memory to minimize traces on the host.
The malware includes anti-analysis checks such as RAM size validation and debugger detection so it can exit when run in a sandbox. The backdoor’s design and encrypted remote shell features support covert long-term access and flexible command execution.
WHY IT MATTERS
PDFSider’s memory-only loading and encrypted DNS communications increase detection and investigation challenges for defenders. Organizations should audit use of signed third-party tools and monitor for anomalous DNS traffic and side-loading patterns.