A previously undocumented backdoor called Msupedge was used against a cyber attack targeting an unnamed university in Taiwan.
“The most notable feature of this backdoor is that it communicates with the command and control (C&C) server through DNS traffic,” Symantec Threat Hunter team, part of Broadcom, said in a report shared with The Hacker News.
The origin of the backdoor is currently unknown, as are the targets of the attack.
The initial access vector that likely facilitated the deployment of Msupedge is said to involve exploiting a recently disclosed critical flaw affecting PHP (CVE-2024-4577CVSS score: 9.8) that can be used achieve remote code execution.
The backdoor in question is a dynamic link library (DLL) installed from the paths “csidl_drive_fixed\xampp\” and “csidl_system\wbem\”. One of the DLLs, wuplog.dll, is run by the Apache HTTP server (httpd). The parent process for the second DLL is unclear.
The most notable aspect of Msupedge is its reliance on DNS tunneling to communicate with a C&C server based on open source code dnscat2 tool.
“It receives commands by performing name resolution,” Symantec said. “Msupedge not only receives commands through DNS traffic, but also uses the authorized IP address of the C&C server (ctl.msedeapi(.)net) as the command.”
Specifically, the third octet of a permitted IP address functions as a case switch which determines the backdoor’s behavior by subtracting seven from it and using its hexadecimal notation to call the appropriate responses. For example, if the third octet is 145, the new value obtained is converted to 138 (0x8a).
The commands supported by Msupedge are listed below –
- 0x8a: Create a process using a command obtained via a DNS TXT record
- 0x75: Downloading a file using the download URL obtained via a DNS TXT record
- 0x24: Sleep mode for a predefined time interval
- 0x66: Sleep mode for a predefined time interval
- 0x38: Create temporary file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” whose destination is unknown
- 0x3c: Delete file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
Development occurs as Threat Group UTG-Q-010 has been linked to a new phishing campaign that uses cryptocurrency and work-related lures to spread open-source malware called RAT strings.
“The attack chain involves the use of malicious .lnk files with an embedded DLL loader that ends up deploying the Pupy RAT payload,” notes Symantec. said. “Pupy is a Python-based Remote Access Trojan (RAT) with reflective DLL loading and in-memory execution functionality, among other things.”