Cybersecurity researchers at Symantec recently identified a new malware that exploits a PHP vulnerability(CVE-2024-4577) in the CGI argument injection flaw. This vulnerability affects all versions of PHP installed on the Windows operating system and eventually executes arbitrary code remotely.
A Taiwanese university has been targeted by a new type of backdoor, Backdoor.Msupedge, which uses a technique that is not commonly used but has already been reported in the past.
Cybersecurity experts cite this malware’s distinctive feature—the use of DNS traffic for command-and-control (C&C) server communication—but they have rarely seen it in the wild.
Though other threat actors have previously deployed such DNS-based C&C techniques, this attack stands out in cybersecurity because it is absent.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Technical Analysis
Msupedge is a sophisticated DLL backdoor detected in the following paths: csidl_drive_fixedxamppwuplog.dll and csidl_systemwbemwmiclnt.dll.
This employs DNS tunneling by using the dnscat2 tool to accomplish C&C communication.
For memory allocation failure, decompressing commands, command execution, and hostnames within the queries sent as error notifications are used for command structure.
These are encoded as fifth-level domains and then transmitted back.
Msupedge also uses ctl.msedeapi[.]net as a command denoting the IP address of the C&C server by subtracting seven from the third octet, and this then serves as a switch case which modifies its behavior accordingly.
On the one hand, Apache (httpd.exe) loads wuplog.dll, but wmiclnt.dll’s parent process is still unknown.
Msupedge has evolved into a multi-faceted approach that maintains hidden communication channels and enables functionality to be adjusted over time.
The Msupedge supports the following commands:-
- Case 0x8a : Create process. The command is receive via DNS TXT record.
- Case 0x75 : Download file. The download URL is received via DNS TXT record.
- Case 0x24 : Sleep (ip_4 * 86400 * 1000 ms).
- Case 0x66 : Sleep (ip_4 * 3600 * 1000 ms).
- Case 0x38 : Create %temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. The purpose of this file is unknown.
- Case 0x3c: Remove %temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.
The initial intrusion was done by someone exploiting the recently patched PHP vulnerability known as “CVE-2024-4577,” which affects all versions of PHP installed on the Windows operating system.
It is a vulnerability in CGI argument injection, allowing hackers to inject malicious arguments into PHP CGI scripts.
The successful exploitation of such a bug has the potential to lead to remote code execution that would allow attackers to run any code on vulnerable systems.
Besides this, Symantec has recently noticed that different entities have been scanning for systems with this flaw.
IoCs
- e08dc1c3987d17451a3e86c04ed322a9424582e2f2cb6352c892b7e0645eda43 – Backdoor.Msupedge
- f5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36 – Backdoor.Msupedge
- a89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480 – Web shell
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot