Unveiling a newly discovered security threat that utilizes a unique DNS-based communication method, analysts have detected an attack targeting a Taiwanese university, introducing the backdoor known as Backdoor.Msupedge. This sophisticated threat, identified by Symantec, stands out for its communication with a command-and-control (C2) server using DNS traffic, a technique rarely utilized by cybercriminals.
Operating as a dynamic link library (DLL), Msupedge has been uncovered in specific file paths within compromised systems. What sets this backdoor apart is its ability to execute commands received through DNS queries, enabling it to fly under the radar and exert discreet control over infected machines.
One of the standout features of Msupedge is its capability to adapt its behavior based on the resolved IP address from the DNS query. Leveraging the third octet of the resolved IP address as a switch, this backdoor determines the command to be executed, including creating processes, downloading files, or inducing the infected system to sleep for a specified duration.
Command support for Msupedge includes:
-
Creating a process via DNS TXT records
-
Downloading files from URLs received through DNS
-
Inducing sleep modes in the infected machine for up to 24 hours
-
Removing temporary files
The initial breach is suspected to have occurred through the exploitation of a recent PHP vulnerability (CVE-2024-4577), affecting all PHP versions on Windows systems. This vulnerability, a CGI argument injection flaw, poses a serious threat for administrators overseeing Windows-based web servers, as it could lead to remote code execution.
Find out more about CVE-2024-4577: Ransomware Surges Annually Despite Law Enforcement Takedowns
According to Symantec, multiple threat actors have been scanning for vulnerable systems in recent weeks. However, the motive behind the attack remains undisclosed, with no concrete evidence linking it to any particular threat actor. In response to this threat, Symantec has issued a list of indicators of compromise (IOC) in its latest advisory on Msupedge.