Analysis Summary

A previously unidentified backdoor known as Msupedge was found by researchers and used in an attack on an unidentified Taiwanese university. The backdoor's primary characteristic is that it uses DNS tunneling to connect to a C2 server.

The dynamic link library (DLL) dubbed Msupedge is a backdoor. The file locations “csidl_drive_fixed\xampp\wuplog.dll” and “csidl_system\wbem\wmiclnt.dll” are where it was discovered to be installed by the cybersecurity researchers. Although Apache (httpd.exe) loads wuplog.dll, it is unknown what process wmiclnt.dll is the parent of. The publicly accessible dnscat2 tool served as the model for the DNS tunneling tool code utilized by Msupedge.

Through the resolution of specially formatted host names, the backdoor receives and carries out commands. These commands produce encoded results, which are returned as a fifth-level domain. Additionally, the backdoor interprets the third octet of the resolved IP address of the C2 server as a command switch, adjusting its behavior based on this value. This method is also used to send error notifications related to memory allocation, command decompression, and execution.

Threat actors were seen deploying the Msupedge backdoor by leveraging a serious PHP vulnerability, identified as CVE-2024-4577 (CVSS score of 9.8). This vulnerability was used by attackers to execute code remotely and obtain initial access to the victim's network. The following commands are supported by the backdoor:

• Case 0x8a: Establish a procedure. The DNS TXT record is used to receive the command.
• Case 0x75: Click to save the file. Through a DNS TXT record, the download URL is obtained.
• Case 0x24: Sleep (ip_4 * 86400 * 1000 ms).
• Case 0x66: Sleep (ip_4 * 3600 * 1000 ms).
• Case 0x38: Creates %temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. This file's intended use is unclear.
• Case 0x3c: Removes %temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.

Researchers have not yet identified the attack's motivation and have not linked it to any particular threat actor. In recent weeks, they have observed several threat actors searching for weak systems. Any evidence has not yet been discovered that would enable experts to link this threat, and the attack's motivation is still a mystery.

Impact

• Code Execution
• Unauthorized Access

Indicators of Compromise

MD5

• bf8a6e05784e0a9e86816b4d2e12ddc9
• ef124bc6fe2b646a13e89d0cd1a03051

SHA-256

• f5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36
• a89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480

SHA-1

• 727fbf3bdb277baba22934f4f84ba82307957edd
• ff2f31ec037ad54ab0acffcc4b6e08ebce40c401

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.