Researchers have found a new backdoor called Msupedge in a cyberattack on a university in Taiwan. The attackers used a serious flaw in PHP (CVE-2024-4577, CVSS score: 9.8) to achieve remote code execution (RCE) with this hidden backdoor.
The Symantec Threat Hunter Team, which is part of Broadcom, pointed out that Msupedge’s main feature is how it communicates to its command-and-control server using DNS traffic. This technique also known as DNS tunnelling, makes communication of the malicious traffic very hard to detect.
Msupedge is a DLL that gets installed in certain paths like “csidl_drive_fixed\xampp” and “csidl_system\wbem.” The Apache HTTP server (httpd) runs one of these DLLs named wuplog.dll. After that, the backdoor communicates through DNS using code from the open-source dnscat2 project. To get instructions, it resolves DNS queries. The IP address it gets back from the C&C server, ctl.msedeapi.net, acts as a medium to send commands.
Symantec has spotted several commands Msupedge supports. These include creating processes, downloading files, and managing temporary files. Some command functions remain a mystery, adding questions about the backdoor’s full abilities.
This news comes alongside another harmful campaign tied to the UTG-Q-010 threat group. This group sends phishing emails with cryptocurrency and job-related bait to spread Pupy RAT. Pupy RAT is an open-source Python-based Remote Access Trojan known to be flexible for remote control and execution.
As experts dig deeper, they are yet to find out where the Msupedge backdoor came from or what it aims to do, thus showing us how today’s cyber threats are getting more complex and dangerous.
