According to the advisory, the Dead Glyph backdoor targets Windows-based online systems through impersonated’ files having malicious scripts attached.
It also attacks the online system through backdoor exploit code and then saves fake DLL files in Windows C Drive. The fake DLL file then executes second-stage malware by unauthorized issuance of PowerShell scripts. It extracts the user’s critical data and shares it with the attacker using a random network communication timing pattern to avoid detection.
The cabinet division has asked the ministries and departments to ensure proper system hardening and whitelisting at all levels including OS, BIOS, hardware, software, etc.
Install reputed and licensed anti-virus, anti-malware, firewalls, SIEM, SOAR, IPS/IDS, NMS solutions, etc, and regularly manually inspect the C Drive System32 folder to check for any suspicious file creation activity.
The advisory has asked the government departments to regularly monitor domain controllers for signs of malware infection and to examine the endpoints and network logs on a regular basis to detect anomalous network traffic.
Also block outbound network connections from powershell.exe, winword.exe, notepad.exe, explorer.exe, bitsadmin.exe, mshta.exe, excel.exe, and eqnedt32.exe.
The advisory has suggested blacklisting the windows commands and utilities that are not required by the end-users and block execution of all scripts having .vbs, .vbe, .hta, .js, .wsh, .wsf, .com, .pif, .ps1 extensions.
It has asked the departments to establish a Sender Policy Framework (SPF) for domains, which is an email validation system designed to prevent spam attachments by detecting email spoofing.
It has also suggested ensuring application whitelisting and strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
It has asked the departments to regularly update Microsoft Windows vulnerabilities and other installed software. Disable the RDP of all endpoints (when not required) and patch it against all the latest vulnerabilities.
Establish site-to-site VPN for remote access zero trust architecture for accessing services.
The advisory has also asked government departments to regularly update antimalware solutions running on endpoints in enterprise environments as well as standalone systems and perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.