An undisclosed loophole known as Msupedge has been utilized in a cyber intrusion directed at an unnamed university in Taiwan.
“The key characteristic of this loophole is its communication with a command-and-control (C&C) server through DNS activity,” stated the Symantec Threat Hunter Team, which is under Broadcom, in a report disclosed to The Hacker News.
The source of the loophole is currently unidentified, as are the intentions behind the assault.
The initial method of entry that likely led to the deployment of Msupedge is believed to involve the exploitation of a recently exposed critical weakness affecting PHP (CVE-2024-4577, CVSS score: 9.8), which could be utilized to attain remote code execution.
The specific loophole is a dynamic-link library (DLL) installed in the paths “csidl_drive_fixedxampp” and “csidl_systemwbem.” One of the DLLs, wuplog.dll, is activated by the Apache HTTP server (httpd). The origin of the second DLL’s parent process is ambiguous.
Msupedge’s distinct feature is its dependence on DNS tunneling to communicate with the C&C server, with programming inspired by the open-source dnscat2 utility.
“It takes instructions by executing name resolution,” as per Symantec. “Msupedge not only captures instructions through DNS traffic but also uses the IP of the C&C server (ctl.msedeapi[.]net) for a command.”
More precisely, the third octet of the IP serves as a switch case that dictates the operation of the loophole by subtracting seven from it and employing its hexadecimal notation to prompt appropriate responses. For instance, if the third octet is 145, the resulting value changes to 138 (0x8a).
The instructions supported by Msupedge are as follows –
- 0x8a: Initiate a process through a command received via a DNS TXT record
- 0x75: Retrieve a file using a download URL received via a DNS TXT record
- 0x24: Enter a sleep state for a predefined interval
- 0x66: Enter a sleep state for a predefined interval
- 0x38: Generate a temporary file named “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” with an unspecified purpose
- 0x3c: Remove the file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
This development transpires as the UTG-Q-010 threat group is connected to a recent phishing initiative employing cryptocurrency and job-related enticements to spread an open-source malware known as Pupy RAT.
“The attack procedure incorporates the use of malevolent .lnk files containing an embedded DLL loader, culminating in the deployment of the Pupy RAT payload,” as stated by Symantec annotations. “Pupy is a Python-based Remote Access Trojan (RAT) with capabilities for reflective DLL loading and in-memory execution, among others.”
About Author
