Unknown attackers have deployed a newly found backdoor dubbed Msupedge on a college’s Home windows programs in Taiwan, doubtless by exploiting a just lately patched PHP distant code execution vulnerability (CVE-2024-4577).
CVE-2024-4577 is a important PHP-CGI argument injection flaw patched in June that impacts PHP installations working on Home windows programs with PHP working in CGI mode. It permits unauthenticated attackers to execute arbitrary code and leads to finish system compromise following profitable exploitation.
The menace actors dropped the malware as two dynamic hyperlink libraries (weblog.dll and wmiclnt.dll), the previous loaded by the httpd.exe Apache course of.
Msupedge’s most noteworthy function is using DNS visitors to speak with the command-and-control (C&C) server. Whereas many menace teams have adopted this method prior to now, it is not generally noticed within the wild.
It leverages DNS tunneling (a function applied based mostly on the open-source dnscat2 instrument), which permits information to be encapsulated inside DNS queries and responses to obtain instructions from its C&C server.
The attackers can use Msupedge to execute numerous instructions, that are triggered based mostly on the third octet of the resolved IP deal with of the C&C server. The backdoor additionally helps a number of instructions, together with creating processes, downloading information, and managing momentary information.
PHP RCE flaw exploitation
Symantec’s Risk Hunter Group, which investigated the incident and noticed the brand new malware, believes the attackers gained entry to the compromised programs after exploiting the CVE-2024-4577 vulnerability.
This safety flaw bypasses protections applied by the PHP crew for CVE-2012-1823, which was exploited in malware assaults years after its remediation to focus on Linux and Home windows servers with RubyMiner malware.
“The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577),” stated Symantec’s Risk Hunter Group.
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.”
On Friday, a day after the PHP maintainers launched CVE-2024-4577 patches, WatchTowr Labs launched proof-of-concept (PoC) exploit code. The identical day, the Shadowserver Basis reported observing exploitation makes an attempt on their honeypots.
Someday later, lower than 48 hours after patches have been launched, the TellYouThePass ransomware gang additionally began exploiting the vulnerability to deploy webshells and encrypt victims’ programs.
