A never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan, using a unique communications technique.
After Symantec researchers caught the malware being deployed in an attack on a Taiwan university, they determined it communicates with its command-and-control (C2) server via DNS traffic — which is a known, but infrequently seen technique, according to a Symantec blog post this week.
The backdoor comes in the form of a dynamic link library (DLL), which is installed in two file paths:
-
csidl_drive_fixedxamppwuplog.dll
-
csidl_systemwbemwmiclnt.dll
The backdoor then waits to receive commands via DNS traffic, and uses the resolved IP address of the C2 server as an initial command.
The researchers believe that the initial intrusion was possibly through the exploit of a recently patched PHP vulnerability, known as CVE-2024-4577. The bug is a CGI argument injection flaw that affects all versions of PHP installed in unpatched Windows instances. If successful, the exploitation of the bug can lead to remote code execution (RCE).
The researchers reported that they have recently discovered several threat actors scanning for vulnerable systems, but “have found no evidence allowing us to attribute [Msupedge], and the motive behind the attack remains unknown.”
Source: www.darkreading.com