New Msupedge Backdoor Exploits PHP Vulnerability

A newly discovered backdoor named Msupedge has been deployed in a cyber attack against an unnamed university in Taiwan. The backdoor is notable for its use of DNS traffic to communicate with its command-and-control (C&C) server, according to the report.

The attack likely began by exploiting a critical vulnerability in PHP (CVE-2024-4577, CVSS score: 9.8), which could allow remote code execution. Once the vulnerability was exploited, the Msupedge backdoor was installed as a dynamic-link library (DLL) in specific paths on the targeted system, including “csidl_drive_fixed\xampp\” and “csidl_system\wbem\.” One of the DLLs, wuplog.dll, is launched by the Apache HTTP server, though the parent process for the second DLL remains unidentified.

The most distinctive feature of Msupedge is its use of DNS tunneling to receive commands from the C&C server, utilizing code based on the open-source dnscat2 tool.

The backdoor executes commands by resolving domain names and interpreting the resolved IP address, specifically the third octet, as a trigger for different actions. For instance, if the third octet is 145, it translates to a specific command after a simple calculation.

Msupedge supports a variety of commands, including:
– 0x8a: Create a process using a command received via a DNS TXT record.
– 0x75: Download a file using a URL received via a DNS TXT record.
– 0x24/0x66: Sleep for a predetermined time interval.
– 0x38: Create a temporary file in the system’s temp directory.
– 0x3c: Delete the previously created temporary file.

This development coincides with the discovery of a new phishing campaign linked to the UTG-Q-010 threat group. This campaign uses cryptocurrency- and job-related lures to distribute the open-source malware Pupy RAT, a Python-based Remote Access Trojan.

The attack chain involves malicious .lnk files that contain an embedded DLL loader, ultimately leading to the deployment of Pupy RAT. This malware is capable of reflective DLL loading and in-memory execution, among other functions.

To prevent attacks exploiting the PHP vulnerability associated with the Msupedge backdoor, ensure your PHP version is up-to-date with the latest security patches. Regularly audit your systems for any signs of unauthorized changes or suspicious traffic, particularly DNS communications that could indicate DNS tunneling. Implement strict network segmentation to limit the potential impact of a breach.