Hackers deployed new malware against university in Taiwan

Researchers have uncovered a previously unseen backdoor which was used in an attack on a university in Taiwan.

To infect their victims, the malware operators likely exploited a recently patched PHP vulnerability tracked as CVE-2024-4577, according to researchers at the cybersecurity firm Symantec. The vulnerability primarily affects Windows installations using Chinese and Japanese languages.

Successful exploitation of the vulnerability can lead to remote code execution, Symantec said. Researchers have observed multiple threat actors scanning for vulnerable systems in recent weeks.

“To date, we have found no evidence allowing us to attribute this threat, and the motive behind the attack remains unknown,” they added.

What is special about the malware, which they dubbed Msupedge, is that it uses a technique called Domain Name System (DNS) tunneling to communicate with a server controlled by the hacker.

Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools.

Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations.

Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said.

In August, a Taiwanese government-affiliated research institute working on sensitive technologies was breached by one of China’s most infamous hacker groups, APT41. The hackers deployed the ShadowPad malware and several additional tools were written in Simplified Chinese.