Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

Aug 20, 2024Ravie LakshmananVulnerability / Menace Intelligence

A beforehand undocumented backdoor named Msupedge has been put to make use of in opposition to a cyber assault focusing on an unnamed college in Taiwan.

“The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the Symantec Menace Hunter Group, a part of Broadcom, stated in a report shared with The Hacker Information.

The origins of the backdoor are presently unknown as are the aims behind the assault.

Cybersecurity

The preliminary entry vector that possible facilitated the deployment of Msupedge is alleged to contain the exploitation of a lately disclosed important flaw impacting PHP (CVE-2024-4577, CVSS rating: 9.8), which could possibly be used to obtain distant code execution.

The backdoor in query is a dynamic-link library (DLL) that is put in within the paths “csidl_drive_fixedxampp” and “csidl_systemwbem.” One of many DLLs, wuplog.dll, is launched by the Apache HTTP server (httpd). The father or mother course of for the second DLL is unclear.

Probably the most notable side of Msupedge is its reliance on DNS tunneling for communication with the C&C server, with code based mostly on the open-source dnscat2 instrument.

“It receives commands by performing name resolution,” Symantec famous. “Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command.”

Particularly, the third octet of the resolved IP handle capabilities as a change case that determines the habits of the backdoor by subtracting seven from it and utilizing its hexadecimal notation to set off applicable responses. For instance, if the third octet is 145, the newly derived worth interprets to 138 (0x8a).

The instructions supported by Msupedge are listed beneath –

  • 0x8a: Create a course of utilizing a command acquired through a DNS TXT report
  • 0x75: Obtain file utilizing a obtain URL acquired through a DNS TXT report
  • 0x24: Sleep for a predetermined time interval
  • 0x66: Sleep for a predetermined time interval
  • 0x38: Create a short lived file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” who’s objective is unknown
  • 0x3c: Delete the file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
Cybersecurity

The event comes because the UTG-Q-010 risk group has been linked to a brand new phishing marketing campaign that leverages cryptocurrency- and job-related lures to distribute an open-source malware known as Pupy RAT.

“The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment,” Symantec stated. “Pupy is a Python-based Remote Access Trojan (RAT) with functionality for reflective DLL loading and in-memory execution, among others.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Recent articles