Adrian Johnson
TLDR:
– Hackers exploited a PHP vulnerability (CVE-2024-4577) to deploy a new backdoor named Msupedge.
– Msupedge communicates with a C&C server via DNS traffic and can execute commands through DNS tunneling.
Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor
A previously undocumented backdoor called Msupedge was used in a cyber attack targeting a university in Taiwan. The backdoor communicates with a C&C server via DNS traffic, making it stealthy and hard to detect. The attack vector involved exploiting a critical flaw in PHP (CVE-2024-4577) to achieve remote code execution.
Msupedge is a dynamic-link library installed in specific paths and can receive commands using DNS tunneling. It uses the resolved IP address of the C&C server to execute commands based on the third octet of the IP address.
The backdoor supports various commands, including creating processes, downloading files, and sleeping for intervals.
Another threat group, UTG-Q-010, has been linked to a phishing campaign distributing an open-source malware called Pupy RAT, which uses malicious .lnk files with embedded DLL loaders.
