A previously undocumented backdoor, dubbed Msupedge, has been used in a cyber attack targeting an unnamed university in Taiwan.
According to the Symantec Threat Hunter Team, part of Broadcom, the backdoor’s most notable feature is its communication with a command-and-control (C&C) server via DNS traffic. The origins and objectives of the attack remain unclear.
The likely initial access vector for deploying Msupedge involved exploiting a recently disclosed critical vulnerability in PHP (CVE-2024-4577, CVSS score: 9.8), which allows remote code execution.
Msupedge is a dynamic-link library (DLL) installed in the paths “csidl_drive_fixed\xampp\” and “csidl_system\wbem\.” One DLL, wuplog.dll, is launched by the Apache HTTP server (httpd), while the parent process for the second DLL is unknown.
Msupedge’s communication with the C&C server relies on DNS tunneling, with its code based on the open-source dnscat2 tool. Symantec noted that Msupedge receives commands through DNS traffic and uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) to determine its behavior.
Specifically, the third octet of the resolved IP address functions as a switch, triggering different commands by subtracting seven from it and using its hexadecimal notation. For instance, if the third octet is 145, the derived value becomes 138 (0x8a).
Msupedge supports several commands, including:
– 0x8a: Create a process using a command received via a DNS TXT record
– 0x75: Download a file using a URL received via a DNS TXT record
– 0x24 and 0x66: Sleep for a specified time interval
– 0x38: Create a temporary file in “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
– 0x3c: Delete the temporary file
This development coincides with the UTG-Q-010 threat group being linked to a new phishing campaign using cryptocurrency- and job-related lures to distribute the open-source Pupy RAT malware. Symantec noted that the attack chain involves malicious .lnk files with an embedded DLL loader, ultimately leading to the deployment of Pupy RAT, a Python-based Remote Access Trojan capable of reflective DLL loading and in-memory execution.
