Unknown attackers have deployed a newly discovered backdoor dubbed Msupedge on a university’s Windows systems in Taiwan, likely by exploiting a recently patched PHP remote code execution vulnerability (CVE-2024-4577).
CVE-2024-4577 is a critical PHP-CGI argument injection flaw patched in June that impacts PHP installations running on Windows systems with PHP running in CGI mode. It allows unauthenticated attackers to execute arbitrary code and leads to complete system compromise following successful exploitation.
The threat actors dropped the malware as two dynamic link libraries (weblog.dll and wmiclnt.dll), the former loaded by the httpd.exe Apache process.
Msupedge’s most noteworthy feature is the use of DNS traffic to communicate with the command-and-control (C&C) server. While many threat groups have adopted this technique in the past, it’s not commonly observed in the wild.
It leverages DNS tunneling (a feature implemented based on the open-source dnscat2 tool), which allows data to be encapsulated within DNS queries and responses to receive commands from its C&C server.
The attackers can use Msupedge to execute various commands, which are triggered based on the third octet of the resolved IP address of the C&C server. The backdoor also supports multiple commands, including creating processes, downloading files, and managing temporary files.
PHP RCE flaw exploitation
Symantec’s Threat Hunter Team, which investigated the incident and spotted the new malware, believes the attackers gained access to the compromised systems after exploiting the CVE-2024-4577 vulnerability.
This security flaw bypasses protections implemented by the PHP team for CVE-2012-1823, which was exploited in malware attacks years after its remediation to target Linux and Windows servers with RubyMiner malware.
“The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577),” said Symantec’s Threat Hunter Team.
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.”
On Friday, a day after the PHP maintainers released CVE-2024-4577 patches, WatchTowr Labs released proof-of-concept (PoC) exploit code. The same day, the Shadowserver Foundation reported observing exploitation attempts on their honeypots.
One day later, less than 48 hours after patches were released, the TellYouThePass ransomware gang also started exploiting the vulnerability to deploy webshells and encrypt victims’ systems.