Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Hackers use a PHP vulnerability to deploy a hidden Msupedge backdoor
Global Security

Hackers use a PHP vulnerability to deploy a hidden Msupedge backdoor

AdminBy AdminAugust 20, 2024No Comments3 Mins Read
PHP Vulnerability
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


August 20, 2024Ravi LakshmananVulnerability / Threat Intelligence

PHP vulnerability

A previously undocumented backdoor called Msupedge was used against a cyber attack targeting an unnamed university in Taiwan.

“The most notable feature of this backdoor is that it communicates with the command and control (C&C) server through DNS traffic,” Symantec Threat Hunter team, part of Broadcom, said in a report shared with The Hacker News.

The origin of the backdoor is currently unknown, as are the targets of the attack.

Cyber ​​security

The initial access vector that likely facilitated the deployment of Msupedge is said to involve exploiting a recently disclosed critical flaw affecting PHP (CVE-2024-4577CVSS score: 9.8) that can be used achieve remote code execution.

The backdoor in question is a dynamic link library (DLL) installed from the paths “csidl_drive_fixed\xampp\” and “csidl_system\wbem\”. One of the DLLs, wuplog.dll, is run by the Apache HTTP server (httpd). The parent process for the second DLL is unclear.

The most notable aspect of Msupedge is its reliance on DNS tunneling to communicate with a C&C server based on open source code dnscat2 tool.

“It receives commands by performing name resolution,” Symantec said. “Msupedge not only receives commands through DNS traffic, but also uses the authorized IP address of the C&C server (ctl.msedeapi(.)net) as the command.”

Specifically, the third octet of a permitted IP address functions as a case switch which determines the backdoor’s behavior by subtracting seven from it and using its hexadecimal notation to call the appropriate responses. For example, if the third octet is 145, the new value obtained is converted to 138 (0x8a).

The commands supported by Msupedge are listed below –

  • 0x8a: Create a process using a command obtained via a DNS TXT record
  • 0x75: Downloading a file using the download URL obtained via a DNS TXT record
  • 0x24: Sleep mode for a predefined time interval
  • 0x66: Sleep mode for a predefined time interval
  • 0x38: Create temporary file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” whose destination is unknown
  • 0x3c: Delete file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
Cyber ​​security

Development occurs as Threat Group UTG-Q-010 has been linked to a new phishing campaign that uses cryptocurrency and work-related lures to spread open-source malware called RAT strings.

“The attack chain involves the use of malicious .lnk files with an embedded DLL loader that ends up deploying the Pupy RAT payload,” notes Symantec. said. “Pupy is a Python-based Remote Access Trojan (RAT) with reflective DLL loading and in-memory execution functionality, among other things.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.