Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

Avatar
A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. “The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are
[[{“value”:”

A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan.

“The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

The origins of the backdoor are presently unknown as are the objectives behind the attack.

The initial access vector that likely facilitated the deployment of Msupedge is said to involve the exploitation of a recently disclosed critical flaw impacting PHP (CVE-2024-4577, CVSS score: 9.8), which could be used to achieve remote code execution.

The backdoor in question is a dynamic-link library (DLL) that’s installed in the paths “csidl_drive_fixedxampp” and “csidl_systemwbem.” One of the DLLs, wuplog.dll, is launched by the Apache HTTP server (httpd). The parent process for the second DLL is unclear.

The most notable aspect of Msupedge is its reliance on DNS tunneling for communication with the C&C server, with code based on the open-source dnscat2 tool.

“It receives commands by performing name resolution,” Symantec noted. “Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command.”

Specifically, the third octet of the resolved IP address functions as a switch case that determines the behavior of the backdoor by subtracting seven from it and using its hexadecimal notation to trigger appropriate responses. For example, if the third octet is 145, the newly derived value translates to 138 (0x8a).

The commands supported by Msupedge are listed below –

0x8a: Create a process using a command received via a DNS TXT record
0x75: Download file using a download URL received via a DNS TXT record
0x24: Sleep for a predetermined time interval
0x66: Sleep for a predetermined time interval
0x38: Create a temporary file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” who’s purpose is unknown
0x3c: Delete the file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”

The development comes as the UTG-Q-010 threat group has been linked to a new phishing campaign that leverages cryptocurrency- and job-related lures to distribute an open-source malware called Pupy RAT.

“The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment,” Symantec said. “Pupy is a Python-based Remote Access Trojan (RAT) with functionality for reflective DLL loading and in-memory execution, among others.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Anatomy of an Attack

Next Post

Iranian hackers targeted Jewish figure with malware attached to podcast invite, researchers say

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia. That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.
Avatar
Read More

Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands. Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the
Avatar
Read More