{"id":4972,"date":"2024-08-21T14:04:44","date_gmt":"2024-08-21T19:04:44","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/taiwan-university-under-fire-from-unique-dll-backdoor"},"modified":"2024-08-21T14:04:44","modified_gmt":"2024-08-21T19:04:44","slug":"taiwan-university-under-fire-from-unique-dll-backdoor","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/21\/taiwan-university-under-fire-from-unique-dll-backdoor\/","title":{"rendered":"Taiwan University Under Fire From Unique DLL Backdoor"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blte0536ae1baa2ad89\/66c6358a75ab5e6f502adb63\/door1800_James_Stone_alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">A never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan, using a unique communications technique.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">After Symantec researchers caught the malware being deployed in an attack on a Taiwan university, they determined it communicates with its command-and-control (C2) server via DNS traffic \u2014 which is a known, but infrequently seen technique, <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/symantec-enterprise-blogs.security.com\/threat-intelligence\/taiwan-malware-dns?amp;web_view=true\" rel=\"noopener\">according to a Symantec blog post this week<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The backdoor comes in the form of a dynamic link library (DLL), which is installed in two file paths:<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_ordered BasicList_limited\">\n<ol data-testid=\"basic-list-ordered\" class=\"BasicList-OrderedList BasicList-OrderedList_nestedLevel_0 body-normal\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_ordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_ordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">csidl_drive_fixed\\xampp\\wuplog.dll<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_ordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_ordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">csidl_system\\wbem\\wmiclnt.dll<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The backdoor then waits to receive commands via DNS traffic, and uses the resolved IP address of the C2 server as an initial command.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The researchers believe that the initial intrusion was possibly through the exploit of a recently patched <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/tellyouthepass-ransomware-exploits-critical-php-flaw\" rel=\"noopener\">PHP vulnerability, known as CVE-2024-4577<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">. The bug is a CGI argument injection flaw that affects all versions of PHP installed in unpatched Windows instances. If successful, the exploitation of the bug can lead to remote code execution (RCE).<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The researchers reported that they have recently discovered several threat actors scanning for vulnerable systems, but &#8220;have found no evidence allowing us to attribute [Msupedge], and the motive behind the attack remains unknown.&#8221;<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/taiwan-university-under-fire-from-unique-dll-backdoor\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan,<\/p>\n","protected":false},"author":12,"featured_media":4973,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/taiwan-university-under-fire-from-unique-dll-backdoor-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4972"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4972\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4973"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}