PHP flaw abused to deploy sneaky Msupedge backdoor by hackers

August 21, 2024
1 min read



TLDR:

– Hackers exploited a PHP vulnerability (CVE-2024-4577) to deploy a new backdoor named Msupedge.

– Msupedge communicates with a C&C server via DNS traffic and can execute commands through DNS tunneling.

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A previously undocumented backdoor called Msupedge was used in a cyber attack targeting a university in Taiwan. The backdoor communicates with a C&C server via DNS traffic, making it stealthy and hard to detect. The attack vector involved exploiting a critical flaw in PHP (CVE-2024-4577) to achieve remote code execution.

Msupedge is a dynamic-link library installed in specific paths and can receive commands using DNS tunneling. It uses the resolved IP address of the C&C server to execute commands based on the third octet of the IP address.

The backdoor supports various commands, including creating processes, downloading files, and sleeping for intervals.

Another threat group, UTG-Q-010, has been linked to a phishing campaign distributing an open-source malware called Pupy RAT, which uses malicious .lnk files with embedded DLL loaders.


Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives