Symantec’s Threat Hunter Team [1] [6] [8], a division of Broadcom, has recently identified a new backdoor threat called Msupedge. This sophisticated backdoor exploits a critical PHP vulnerability (CVE-2024-4577) for remote code execution and uses DNS traffic to communicate with a command-and-control server.

Description

Msupedge is a DLL-based backdoor threat that communicates with a command-and-control server via DNS traffic. Its behavior is determined by the resolved IP address of the C&C server. The attack chain involves the use of malicious .lnk files with an embedded DLL loader [8], leading to the deployment of the Pupy RAT payload [8]. Pupy RAT is a Python-based remote access trojan that allows reflective DLL loading and execution in memory [8]. The backdoor is capable of executing various commands, such as creating processes, downloading files [2] [3] [4] [5], inducing sleep modes [3], and removing temporary files [2] [3] [4] [5]. It utilizes DNS tunneling for covert control over compromised systems. Multiple threat actors are actively scanning for vulnerable systems [7] [9], highlighting the evolving tactics of cybercriminals [4]. Symantec Endpoint products are equipped to detect and block malicious indicators associated with the Msupedge threat.

Conclusion

The Msupedge backdoor poses a significant threat to cybersecurity, as evidenced by a recent cyber attack targeting an unnamed university in Taiwan [2]. It is crucial for organizations to implement robust security measures to protect against such threats. Symantec Endpoint products offer detection and mitigation capabilities against the Msupedge threat, but ongoing vigilance and proactive security measures are essential to safeguard against evolving cyber threats.

References

[1] https://rhyno.io/blogs/cybersecurity-news/php-exploit-leads-to-msupedge-backdoor-attack/
[2] https://kiber.ba/hakeri-iskoristavaju-ranjivost-php-a-da-bi-implementirali-skriveni-msupedge-backdoor/
[3] https://www.infosecurity-magazine.com/news/dns-based-backdoor-taiwanese/
[4] https://cybermaterial.com/hackers-use-php-flaw-to-deploy-msupedge/
[5] https://www.techidee.nl/hackers-misbruiken-php-kwetsbaarheid-om-heimelijke-msupedge-backdoor-te-implementeren/13040/
[6] https://thehackernews.com/2024/08/hackers-exploit-php-vulnerability-to.html
[7] https://siliconangle.com/2024/08/20/symantec-warns-new-sophisticated-backdoor-exploiting-patched-php-vulnerability/
[8] https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/hackers-estan-explotando-vulnerabilidad-php-para-implementar-la-backdoor-sigilosa-msupedge/
[9] https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns