A New Backdoor Emerges in Cybersecurity

A recent cyberattack targeting an unidentified university in Taiwan has brought to light a previously unknown backdoor named Msupedge. According to a report from the Symantec Threat Hunter Team, part of Broadcom, this backdoor has never been documented before. The most striking characteristic of Msupedge is its ability to communicate with a command-and-control (C&C) server through DNS traffic, a method that makes it difficult to detect.

You might be interested in: Urgent Patch: Windows IPv6 RCE Risk

Unknown Origins and Intentions

Currently, there is no clear information on where Msupedge originated or what the attackers aimed to achieve. However, it is believed that the backdoor was deployed by exploiting a critical security flaw in PHP (CVE-2024-4577), which has a CVSS score of 9.8. This vulnerability allows for remote code execution, providing an entry point for the attack.

Msupedge’s Stealthy Operations

The backdoor is installed as a dynamic-link library (DLL) in specific system directories, including “csidl_drive_fixed\xampp” and “csidl_system\wbem”. One of these DLLs, named Wuplog.dll, is launched by the Apache HTTP server (httpd). However, the process that triggers the second DLL remains unclear.

What sets Msupedge apart is its use of DNS tunneling to communicate with the C&C server. The backdoor’s code is based on the open-source tool dnscat2, and it receives commands by resolving DNS names. Symantec noted that the backdoor not only retrieves commands through DNS traffic but also interprets the IP address of the C&C server (ctl.msedeapi[.]net) as part of its command structure.

Unique Command Mechanism

One unique feature of Msupedge is how it handles commands. The third octet of the resolved IP address is used as a “switch case” to determine its behavior. By subtracting seven from this octet and converting it to hexadecimal, the backdoor activates specific responses. For example, if the third octet is 145, the value becomes 138 (0x8a) after processing.

Supported Commands by Msupedge

• Launch a process using a command received via a DNS TXT record.
• Download a file using a URL obtained from a DNS TXT record.
• Enter a sleep mode for a pre-defined period.
• Create a temporary file named “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” with an unknown purpose.
• Delete the temporary file named “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.”

Msupedge’s Discovery Amidst Broader Cyber Threats

The discovery of Msupedge coincides with reports linking the UTG-Q-010 threat group to a new phishing campaign. This campaign, which targets individuals with lures related to cryptocurrencies and job offers, deploys an open-source malware known as Pupy RAT.

Symantec researchers explained that the attack involves the use of malicious shortcut (.lnk) files containing an embedded DLL loader. This ultimately leads to the deployment of the Pupy RAT, a Python-based Remote Access Trojan capable of reflective DLL loading and in-memory execution.

This new information underscores the evolving threats in the cybersecurity landscape, highlighting the need for heightened vigilance and advanced defense mechanisms.