Cyber security news for all

More

    Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

    A newly identified backdoor called Msupedge has been used in a cyberattack targeting a university in Taiwan.

    “The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the Symantec Threat Hunter Team, part of Broadcom, stated in a report shared with The Hacker News.

    The origins of the Msupedge backdoor and the attackers’ objectives remain unknown.

    Initial access to the system likely occurred through the exploitation of a recently discovered critical vulnerability in PHP (CVE-2024-4577, CVSS score: 9.8), which can be used to achieve remote code execution.

    Msupedge is a dynamic-link library (DLL) installed in the paths “csidl_drive_fixed\xampp” and “csidl_system\wbem.” One of the DLLs, wuplog.dll, is executed by the Apache HTTP server (httpd), while the parent process for the second DLL is not yet clear.

    The most significant feature of Msupedge is its use of DNS tunneling to communicate with its C&C server, using code based on the open-source dnscat2 tool.

    “It receives commands by performing name resolution,” Symantec noted. “Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command.”

    Specifically, the third octet of the resolved IP address acts as a switch case, determining the behavior of the backdoor. The octet value is reduced by seven, and its hexadecimal representation triggers specific responses. For example, if the third octet is 145, the derived value becomes 138 (0x8a).

    Msupedge supports the following commands:

    • 0x8a: Create a process using a command received via a DNS TXT record
    • 0x75: Download a file using a download URL received via a DNS TXT record
    • 0x24: Sleep for a predetermined time interval
    • 0x66: Sleep for a predetermined time interval
    • 0x38: Create a temporary file at “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” with an unknown purpose
    • 0x3c: Delete the file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”

    This development coincides with the activities of the UTG-Q-010 threat group, which has been linked to a new phishing campaign that uses cryptocurrency and job-related lures to distribute an open-source malware known as Pupy RAT.

    “The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ultimately leading to the deployment of the Pupy RAT payload,” Symantec said. “Pupy is a Python-based Remote Access Trojan (RAT) with capabilities such as reflective DLL loading and in-memory execution, among others.”

    Recent Articles

    Related Stories