Stealthy Msupedge Backdoor Exploits PHP Flaw in Cyber Attack on Taiwanese University

August 20, 2024

An unnamed Taiwanese university has fallen victim to a cyber attack, with the attackers utilizing a previously unreported backdoor named Msupedge. The Symantec Threat Hunter Team, a division of Broadcom, shared in a report that the unique feature of this backdoor is its communication with a command-and-control (C&C) server via DNS traffic.

The origins of Msupedge remain unclear, as do the intentions behind the cyber attack. The backdoor was likely deployed via the exploitation of a recently revealed critical vulnerability in PHP (CVE-2024-4577, CVSS score: 9.8), which can be leveraged for remote code execution.

Msupedge is a dynamic-link library (DLL) installed in the paths 'csidl_drive_fixedxampp' and 'csidl_systemwbem.' One of these DLLs, named wuplog.dll, is initiated by the Apache HTTP server. The parent process for the second DLL remains uncertain.

The backdoor's standout feature is its dependency on DNS tunneling for communication with the C&C server. Its code is based on the open-source dnscat2 tool. As Symantec pointed out, 'It receives commands by performing name resolution.' Msupedge not only gets commands via DNS traffic, but it also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command.

In another development, the UTG-Q-010 threat group has been linked to a new phishing campaign that uses cryptocurrency and job-related lures to distribute an open-source malware called Pupy RAT. Symantec reported, 'The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment.' Pupy is a Python-based Remote Access Trojan (RAT) with capabilities for reflective DLL loading and in-memory execution, among other functionalities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.