August 20, 2024Ravie LakshmananVulnerability / Threat Intelligence

A previously undocumented backdoor dubbed Msupedge has been deployed against a cyberattack targeting an unnamed university in Taiwan.

“The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

The origin of the backdoor is still unknown, as are the objectives behind the attack.

The initial access vector that likely enabled the implementation of Msupedge is believed to be related to the exploitation of a recently disclosed critical flaw impacting PHP (CVE-2024-4577, CVSS score: 9.8), which could be used to remotely execute code.

The backdoor in question is a dynamic-link library (DLL) installed in the paths “csidl_drive_fixed\xampp\” and “csidl_system\wbem\.” One of the DLLs, wuplog.dll, is launched by the Apache HTTP Server (httpd). The parent process for the second DLL is unclear.

The most notable aspect of Msupedge is its reliance on DNS tunneling for communication with the C&C server, with code based on the open-source dnscat2 tool.

“It receives commands by performing name resolution,” Symantec noted. “Msupedge not only receives commands via DNS traffic, but also uses the resolved IP address of the C&C server (ctl.msedeapi(.)net) as the command.”

Specifically, the third octet of the resolved IP address acts as a switch case that determines the behavior of the backdoor by subtracting seven from it and using its hexadecimal notation to trigger appropriate responses. For example, if the third octet is 145, the newly derived value would translate to 138 (0x8a).

The commands supported by Msupedge are listed below:

• 0x8a: Create a process using a command received via a DNS TXT record
• 0x75: Download file using a download URL received via a DNS TXT record
• 0x24: Sleep for a predetermined time interval
• 0x66: Sleep for a predetermined time interval
• 0x38: Creating a temporary file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” whose purpose is unknown
• 0x3c: Delete the file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”

The development comes after the UTG-Q-010 threat group was linked to a new phishing campaign that uses cryptocurrency and work-related lures to spread open-source malware dubbed Pupy RAT.

“The attack chain involves the use of malicious .lnk files with an embedded DLL loader, which terminate in the Pupy RAT payload implementation,” Symantec said. “Pupy is a Python-based Remote Access Trojan (RAT) with capabilities including reflective DLL loading and in-memory execution.”