CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

New Dripion Backdoor Powers Targeted Attacks in Taiwan

Custom Backdoor Used in Targeted Attacks with Command and Control Servers Disguised as Antivirus Company Sites

Researchers at Symantec have discovered a new backdoor Trojan being used in attacks against companies mainly located in Taiwan, but also against organizations in Brazil and the United States.

Custom Backdoor Used in Targeted Attacks with Command and Control Servers Disguised as Antivirus Company Sites

Researchers at Symantec have discovered a new backdoor Trojan being used in attacks against companies mainly located in Taiwan, but also against organizations in Brazil and the United States.

Dubbed Backdoor.Dripion by Symantec, the malware is custom-built and has been created mainly to steal information in a series of targeted attacks, researchers say. Moreover, Symantec discovered that the Trojan’s operators focused on disguising their activities by using domain names masqueraded as websites of antivirus companies for their command and control (C&C) servers.

Dripion is believed to be tied to an organization involved in cyberespionage campaigns, and Symantec researchers associated it with Budminer, an advanced threat group previously known to have used the Taidoor Trojan, Symantec’s Jon DiMaggio explains.

So far, the malware has been used by a single attacker against a small target group, and researchers discovered that it was being deployed using the Blugger Trojan downloader. This malicious application, which has been in use at least since 2011, uses encryption to make its communication with the C&C server more difficult to detect.

However, researchers managed to discover that the downloader requested URLs of publicly available blogs to retrieve Dripion for installation. Most of the blogs were related to news events, yet Symantec is unsure whether they were created by the attackers themselves or if they were compromised to serve malware.

After installation, Dripion provides the attacker with access to the victim’s computer, as it includes the functionally typically found in a backdoor Trojan. After a successful compromise, its operators can upload, download, and steal pre-determined information from the victim (computer’s name and IP address are automatically sent to the C&C server), and can also execute remote commands.

The Trojan supports commands such as sleep for 10 minutes, attempt to delete itself and kill all operations, disconnect from the computer, write data on the victim’s computer or on a remote open file, create a new process, and execute command and redirect result through pipe to .tmp file and Download file.

Advertisement. Scroll to continue reading.

According to Symantec, the developer of Dripion malware used XOR encoding for both the binary configuration file and network requests with the C&C server. The researchers also discovered multiple variations of the Trojan, as well as version numbers hardcoded within the malware and suggest that attackers can update their code to include new capabilities and make detection more difficult.

Researchers linked the Trojan to the Budminer group because they used the Blugger downloader to distribute the Taidoor Trojan before, and because the downloader was previously used exclusively to distribute that piece of malware. Moreover, they found that one of the Blugger samples associated with Dripion connected to a domain also used in Taidoor-related activity.

In addition to using the same unique downloader as Taidoor, Dripion uses the same blogs for distribution, has a similar target window, and shares the C&C infrastructure at the root domain level with Taidoor. Moreover, their downloader encrypts data using the victim’s MAC address as the RC4 key, which further connects the new threat to the Budminer cyberespionage group, although the two malware families do not share code.

Dripion, Taidoor Connection

Dripion was first used in a campaign in September 2015, but the timestamp on the earliest known sample suggests that the Trojan might have been created in 2013, Symantec says. In fact, Symantec researchers were able to validate known Dripion activity in November 2014, but suggest that previous campaigns possibly happened before that, but went undetected because of the very small target group.

Symantec also says that the group managed to deceive potential targets by creating multiple domains with names similar to that of legitimate companies and websites in the antivirus industry, which are actually C&C domains used in attacks.

The group also relied on typo-squat domains to carry out attacks, a tactic frequently used to trick victims.

The Taidoor malware hasn’t been used in any new campaigns since 2014, mainly because the group decided to change tactics to avoid detection, the security researchers assume.

In 2014, Taidoor-related zero-day exploit attacks were spotted targeting the CVE-2014-1761 vulnerability in Microsoft Word. In November 2015, a remote access Trojan (RAT) called GlassRAT, which managed to stay under the radar for several years, was said to contain code similar to Taidoor.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.