Unseen Msupedge Malware Exploits PHP Flaw CVE-2024-4577 in Taiwanese University Cyberattack

Backdoor.Msupedge

A new and sophisticated backdoor, dubbed Backdoor.Msupedge, has been identified in a recent cyberattack targeting a university in Taiwan. Symantec’s security researchers have uncovered this previously unseen malware, which employs a rarely used technique to communicate with its command-and-control (C&C) server via DNS traffic.

Msupedge, a dynamic link library (DLL), has been found lurking in the depths of compromised systems. It leverages DNS tunneling, based on the publicly available dnscat2 tool, for its clandestine communications. By performing name resolution, it receives commands and even encodes the results of command executions as fifth-level domains for exfiltration.

The Backdoor.Msupedge malware’s capabilities include creating processes, downloading files, creating temporary files, and implementing sleep functions, all managed through its DNS-based communication channel.

The standout feature of Msupedge is its use of DNS tunneling for C&C communication. This method, while known in the cybersecurity world, is infrequently seen in the wild. The malware uses DNS name resolution to receive commands, effectively hiding its malicious traffic within what appears to be normal DNS queries.

Msupedge’s DNS tunneling technique is based on the publicly available dnscat2 tool, repurposed to suit the backdoor’s needs. The malware communicates with its C&C server, ctl.msedeapi[.]net, and uses a unique method to interpret commands based on the resolved IP address.

The third octet of the resolved IP address serves as a switch case, which dictates the backdoor’s behavior. For instance, if the third octet is 145, the malware interprets this as 138 (0x8a in hexadecimal) and executes the corresponding command.

The use of DNS for command transmission is particularly notable because it allows the malware to blend in with regular network traffic, making it harder for traditional security tools to detect.

Symantec’s analysis suggests that the initial intrusion was likely facilitated by the exploitation of a recently patched PHP vulnerability, CVE-2024-4577. This vulnerability, a CGI argument injection flaw affecting all versions of PHP on Windows, can lead to remote code execution when successfully exploited.

In recent weeks, multiple threat actors have been observed scanning for systems vulnerable to this flaw, and it appears that the attackers behind Msupedge capitalized on this weakness to gain initial access. However, despite extensive analysis, Symantec has yet to determine the identity of the attackers or their ultimate motive.

Related Posts: