Illustration: Supimol Kumying | Shutterstock
Security researchers have discovered a novel backdoor named Msupedge that is being used to target an unnamed university in Taiwan. The backdoor exploits the recently revealed PHP vulnerability CVE-2024-4577, allowing remote code execution on the targeted system. The origins of the backdoor and the objective behind the attack are currently unknown.
The backdoor was discovered by security researchers from the Symantec Threat Hunter Team from Broadcom. According to a report covering technical details, the malware uses the aforementioned PHP vulnerability, which has a critical CVSS rating of 9.8, to facilitate the deployment of Msupedge, which receives and executes commands from a Command and Control (C2) server.
Perhaps the most interesting thing about the new backdoor is its use of DNS tunnelling to communicate with its C2 servers. The code is based on the open-source dnscat2 tool — originally designed to create an encrypted C2 channel over the DNS protocol, an effective tunnel out of almost every tunnel.
The attack chain generally involves using malicious .lnk files with an embedded DLL loader, which runs a Pupy RAT payload. Pupy is a Python-based Remote Access Tool (RAT) with reflective DLL loading and in-memory execution functionalities, among other means of deploying and executing commands.
The backdoor is deployed in the last stage and currently supports the following commands:
- Case 0x8a Create process. The command is received via DNS TXT record.
- Case 0x75 Download file. The download URL is received via DNS TXT record.
- Case 0x24: Sleep (ip_4 * 86400 * 1000 ms).
- Case 0x66: Sleep (ip_4 * 3600 * 1000 ms).
- Case 0x38: Create %temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. The purpose of this file is unknown.
- Case 0x3c: Remove %temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.
Researchers have seen multiple threat actors scanning for systems vulnerable to CVE-2024-4577 in recent weeks. However, there’s not enough evidence to attribute the threat to one threat actor, and the motive behind the attack remains unknown.
In the News: RipperSec launched 18 DDoS attacks on India between August 15 and 16