In response to emerging cyber threats, the government of Pakistan has released a cybersecurity advisory cautioning against the ‘Dead Glyph Backdoor.’ The advisory, issued by the cabinet division, highlights the activities of Advanced Persistent Threat (APT) groups utilizing the ‘Dead Glyph Backdoor’ to target global government entities and critical infrastructure.
Described as an ‘x64 native binary’ and ‘.Net assembly exploit code,’ the Dead Glyph serves as an entry point for hackers aiming to exploit Windows-based operating systems. The advisory outlines the backdoor’s tactics, indicating that it targets online systems through malicious scripts attached to impersonated files. The backdoor exploit code then infiltrates the online system, saving fake DLL files in the Windows C Drive.
Subsequently, the fake DLL file executes second-stage malware through unauthorized PowerShell script issuance, extracting critical user data. To evade detection, the malware shares this information with the attacker using a random network communication timing pattern.
In response to this threat, the cabinet division urges ministries and departments to implement robust cybersecurity measures. Recommendations include system hardening and whitelisting at all levels, from OS and BIOS to hardware and software. The advisory emphasizes the installation of reputable and licensed cybersecurity solutions such as antivirus, anti-malware, firewalls, SIEM, SOAR, IPS/IDS, and NMS. Regular manual inspections of the C Drive System32 folder are also advised to detect any suspicious file creation activity.
To bolster defense against the Dead Glyph Backdoor, the government advisory suggests ongoing monitoring of domain controllers for signs of malware infection. Additionally, departments are encouraged to examine endpoints and network logs regularly to identify anomalous network traffic. Outbound network connections from specific executables, such as powershell.exe, winword.exe, notepad.exe, and others, are recommended to be blocked.
Further preventive measures include blacklisting unnecessary Windows commands and utilities and restricting the execution of scripts with specific extensions. The advisory calls for the establishment of a Sender Policy Framework (SPF) for domains to prevent email spoofing and recommends application whitelisting. Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths is also advised.
In the interest of maintaining cybersecurity resilience, the government advisory advocates regular updates for Microsoft Windows vulnerabilities and other installed software. Endpoints are advised to disable Remote Desktop Protocol (RDP) when not required and patch against the latest vulnerabilities. Establishing a site-to-site VPN for remote access and adopting a zero-trust architecture for service access are additional cybersecurity measures. The advisory also underscores the importance of regular updates to anti-malware solutions and performing backups of critical information to mitigate the impact of data or system loss and expedite the recovery process.
