An undocumented backdoor named Msupedge has been utilized in a cyber intrusion targeting an undisclosed university in Taiwan.
“A standout trait of this backdoor is its communication with a command-and-control (C&C) server through DNS traffic,” as reported by the Symantec Threat Hunter Team, which is part of Broadcom, as it was stated in a disclosed document sent to The Hacker News.
The origins of the backdoor remain enigmatic at the moment, as do the intentions behind the assault.
The initial pathway that purportedly enabled the deployment of Msupedge is said to revolve around the exploitation of a freshly disclosed critical flaw impacting PHP (CVE-2024-4577, CVSS score: 9.8), which could potentially enable accomplishing remote code execution.
The backdoor under scrutiny is a dynamic-link library (DLL) that is placed in the “csidl_drive_fixedxampp” and “csidl_systemwbem” paths. One of the DLLs, wuplog.dll, is initiated by the Apache HTTP server (httpd). The source process for the second DLL remains ambiguous.
The most notable aspect of Msupedge is its dependence on DNS tunneling for interaction with the C&C server, with programming derived from the open-source dnscat2 utility.
“It acquires commands by executing name resolution,” explained Symantec. “Msupedge not only acquires commands via DNS traffic but also employs the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a directive.”
Specifically, the third octet of the resolved IP address acts as a switch statement that dictates the conduct of the backdoor by deducting seven from it and utilizing its hexadecimal format to prompt suitable responses. For instance, if the third octet is 145, the newly derived value equates to 138 (0x8a).
The commands upheld by Msupedge are detailed below –
- 0x8a: Initiate a process using a received command from a DNS TXT record
- 0x75: Retrieve a file utilizing a download URL obtained from a DNS TXT record
- 0x24: Remain inactive for a specified time frame
- 0x66: Remain inactive for a specified time frame
- 0x38: Generate a temporary file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” with an undisclosed purpose
- 0x3c: Erase the file “%temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp”
The development surfaces as the UTG-Q-010 threat cluster has been associated with a novel phishing initiative that exploits cryptocurrency- and occupation-related baits to disseminate an open-source malware termed Pupy RAT.
“The offensive sequence includes the utilization of deceitful .lnk files with an embedded DLL loader, culminating in Pupy RAT payload distribution,” as mentioned by Symantec announced. “Pupy is a Python-originated Remote Access Trojan (RAT) included with functionality for reflective DLL loading and in-memory execution, among others.”
About Author
