Stealthy Msupedge Backdoor Exploits PHP Vulnerability in Cyberattack on Taiwanese University

In a recent cybersecurity breach, hackers deployed a previously undocumented backdoor named Msupedge in an attack targeting an unnamed university in Taiwan. This sophisticated malware, which utilizes DNS traffic for communication with its command-and-control (C&C) server, marks a significant development in cyber threats. According to the Symantec Threat Hunter Team, part of Broadcom, the attack is particularly concerning due to the backdoor’s stealthy nature and the critical vulnerability it exploited in PHP.

The Msupedge Backdoor: A Stealthy Threat

Msupedge is a dynamic-link library (DLL) backdoor that has caught the attention of cybersecurity experts due to its unique communication methods and the critical vulnerability it exploits. The origins of Msupedge are currently unknown, and the objectives behind the attack remain unclear. However, its deployment in the attack on a Taiwanese university highlights the growing sophistication of cyber threats.

The initial access vector for this attack is believed to be the exploitation of a critical vulnerability in PHP, identified as CVE-2024-4577. This flaw, which has a CVSS score of 9.8, allows attackers to achieve remote code execution. The exploitation of this vulnerability likely enabled the deployment of Msupedge, making it a key component of the attack.

Deployment and Communication

Msupedge is installed in specific paths on the compromised system, including “csidl_drive_fixed\xampp” and “csidl_system\wbem.” The backdoor operates through two DLLs, one of which, wuplog.dll, is launched by the Apache HTTP server (httpd). The parent process for the second DLL, however, remains unclear, adding to the complexity of the threat.

What sets Msupedge apart from other backdoors is its reliance on DNS tunneling for communication with its C&C server. DNS tunneling is a technique that uses DNS queries and responses to transmit data, making it difficult for traditional security measures to detect and block. Msupedge’s communication code is based on the open-source dnscat2 tool, further enhancing its stealth capabilities.

According to Symantec, Msupedge receives commands by performing name resolution through DNS traffic. It not only uses DNS traffic to receive commands but also employs the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address functions as a switch case, determining the behavior of the backdoor. By subtracting seven from the third octet and converting it to hexadecimal notation, Msupedge triggers specific responses. For example, if the third octet is 145, the derived value is 138 (0x8a), which corresponds to a particular command.

Command Execution

Msupedge supports various commands that allow it to perform different actions on the compromised system. These commands include:

• 0x8a: Create a process using a command received via a DNS TXT record.
• 0x75: Download a file using a download URL received via a DNS TXT record.
• 0x24: Sleep for a predetermined time interval.
• 0x66: Sleep for a predetermined time interval.
• 0x38: Create a temporary file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp” for an unknown purpose.
• 0x3c: Delete the temporary file “%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.”

These capabilities make Msupedge a highly versatile and dangerous backdoor, capable of executing a wide range of malicious activities while remaining under the radar of traditional security measures.