A previously unknown backdoor known as Msupedge has recently been deployed in cyber attacks against an unnamed university in Taiwan. This alarming development has raised concerns in the cybersecurity community, particularly given the backdoor’s unique operational characteristics. According to a report from Symantec’s Threat Hunter Team, part of Broadcom, one of the most significant features of Msupedge is its communication with a command-and-control (C&C) server through DNS traffic, a method that obfuscates its activities from conventional monitoring techniques.
The precise origins of the Msupedge backdoor and the objectives behind the attack remain unclear. However, investigators suggest that the initial access vector likely exploited a critical vulnerability in PHP, identified as CVE-2024-4577, which has a notably high CVSS score of 9.8. This vulnerability allows for remote code execution, opening the door for malware installation and execution. Its exploitation indicates a thorough understanding of web application security weaknesses.
Msupedge is implemented as a dynamic-link library (DLL) located within specific directory paths, namely “csidl_drive_fixed\xampp\” and “csidl_system\wbem.\” One of these DLLs, referred to as wuplog.dll, is activated by the Apache HTTP server. However, the relationship between this DLL and other components of the attack remains ambiguous, highlighting a potential area of further investigation.
This backdoor stands out due to its reliance on DNS tunneling for command communications with the C&C server. Its codebase appears to be derived from an open-source tool called dnscat2, which facilitates data exfiltration over DNS. Notably, Msupedge not only receives commands via DNS requests but also interprets the resolved IP address from the C&C server (ctl.msedeapi[.]net) to dictate its actions.
Intriguingly, the third octet of the resolved IP address functions as a form of command switch, altering the behavior of the backdoor. This mechanism operates by modifying the octet value—subtracting seven and converting it to hexadecimal to determine executed commands. Such measures underscore the sophistication of the malware, as malicious actors employ intricate techniques to evade detection.
Supported commands include process creation through DNS-sourced instructions, file downloading via specified URLs, and mechanisms to manage temporary files, including creation and deletion processes. This operational capability signals a deliberate and advanced approach to remote management of compromised systems.
The emergence of Msupedge coincides with activities from the threat group known as UTG-Q-010, which has been linked to recent phishing campaigns. These campaigns utilize social engineering tactics to deliver malware, specifically an open-source Remote Access Trojan (RAT) known as Pupy RAT. The involvement of Pupy RAT further complicates the cybersecurity landscape, as it enables reflective DLL loading and in-memory execution.
By applying the MITRE ATT&CK framework, one can infer that the attack utilized tactics such as initial access, where the exploitation of the PHP vulnerability occurred, and persistence, as evidenced by the installation of the Msupedge backdoor. Additionally, techniques related to command and control channels through DNS traffic reveal the attackers’ advanced understanding of system interactions.
As businesses increasingly rely on digital infrastructures, the implications of such attacks emphasize the necessity for robust cybersecurity strategies. It is crucial for organizations to remain vigilant and informed about evolving threats and their underlying tactics, employing comprehensive security measures to safeguard against sophisticated cyber adversaries.
