Stealthy Msupedge Backdoor Exploits PHP Flaw in Cyber Attack on Taiwanese University
August 20, 2024
An unnamed Taiwanese university has fallen victim to a cyber attack, with the attackers utilizing a previously unreported backdoor named Msupedge. The Symantec Threat Hunter Team, a division of Broadcom, shared in a report that the unique feature of this backdoor is its communication with a command-and-control (C&C) server via DNS traffic.
The origins of Msupedge remain unclear, as do the intentions behind the cyber attack. The backdoor was likely deployed via the exploitation of a recently revealed critical vulnerability in PHP (CVE-2024-4577, CVSS score: 9.8), which can be leveraged for remote code execution.
Msupedge is a dynamic-link library (DLL) installed in the paths 'csidl_drive_fixedxampp' and 'csidl_systemwbem.' One of these DLLs, named wuplog.dll, is initiated by the Apache HTTP server. The parent process for the second DLL remains uncertain.
The backdoor's standout feature is its dependency on DNS tunneling for communication with the C&C server. Its code is based on the open-source dnscat2 tool. As Symantec pointed out, 'It receives commands by performing name resolution.' Msupedge not only gets commands via DNS traffic, but it also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command.
In another development, the UTG-Q-010 threat group has been linked to a new phishing campaign that uses cryptocurrency and job-related lures to distribute an open-source malware called Pupy RAT. Symantec reported, 'The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment.' Pupy is a Python-based Remote Access Trojan (RAT) with capabilities for reflective DLL loading and in-memory execution, among other functionalities.
Related News
- PHP Flaw Exploited by Threat Actors to Disseminate Malware and Initiate DDoS Attacks
- TellYouThePass Ransomware Gang Exploits New PHP RCE Flaw to Infiltrate Servers
- Critical Remote Code Execution Vulnerability in PHP Could Impact Millions of Servers
- Critical Remote Code Execution Vulnerability in PHP for Windows: All Versions Impacted
Latest News
- Security Vulnerability in Azure Kubernetes Services Unveiled by Researchers
- CISA Issues Warning Over Critical Jenkins RCE Bug Being Leveraged in Ransomware Attacks
- Ivanti vTM Bug Exploit Attempts Detected, Experts Warn
- North Korea-linked Lazarus APT Exploits Microsoft Zero-Day CVE-2024-38193
- CISA Issues Warning: SolarWinds' RCE Vulnerability Being Exploited
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.