杭州江阴科强工业胶带有限公司

{"id":167298,"date":"2024-08-20T17:27:22","date_gmt":"2024-08-20T17:27:22","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=167298"},"modified":"2024-08-20T17:27:23","modified_gmt":"2024-08-20T17:27:23","slug":"msupedge-backdoor","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/167298\/malware\/msupedge-backdoor.html","title":{"rendered":"Previously unseen Msupedge backdoor targeted a university in Taiwan"},"content":{"rendered":"

<\/div>\n

Experts spotted a previously undetected backdoor, dubbed Msupedge, that was employed in an attack against a university in Taiwan.\u00a0<\/h2>\n\n\n\n
Broadcom Symantec researchers discovered a previously undetected backdoor, called Msupedge, that was employed in an attack targeting an unnamed university in Taiwan.<\/p>\n\n\n\n
The most notable feature of the backdoor is that it relies on DNS tunnelling to communicate with a C2 server.<\/p>\n\n\n\n
$\"Msupedge\"$ <\/a><\/figure>\n\n\n\n
“Msupedge\u00a0is a backdoor in the form of a dynamic link library (DLL).” reads the report<\/strong><\/a> published by Symantec. “It has been found installed in the following file paths:<\/em><\/p>\n\n\n\n
\n
csidl_drive_fixed\\xampp\\wuplog.dll<\/li>\n\n\n\n
csidl_system\\wbem\\wmiclnt.dll<\/li>\n<\/ul>\n\n\n\n
While wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll is unknown.”<\/em><\/p>\n\n\n\n
The code used by Msupedge for the DNS tunneling tool is based on\u00a0the publicly available dnscat2<\/a>\u00a0tool. <\/p>\n\n\n\n
The backdoor receives and executes commands by resolving specially structured host names. The results of these commands are encoded and sent back as a fifth-level domain. Additionally, the backdoor interprets the third octet of the resolved IP address of the C&C server as a command switch, adjusting its behavior based on this value. Error notifications for memory allocation, command decompression, and execution are also sent through this method.<\/gwmw><\/p>\n\n\n\n
Threat actors were observed exploiting a critical vulnerability in PHP, tracked as CVE-2024-4577<\/a> (CVSS score of 9.8), to deploy the Msupedge backdoor. Attackers exploited this flaw to achieve remote code execution and gain initial access to the target network.<\/p>\n\n\n\n
The backdoor supports the following commands:<\/p>\n\n\n\n
\n
Case 0x8a : \u00a0Create process. The command is receive via DNS TXT record.<\/li>\n\n\n\n
Case 0x75 : \u00a0Download file. The download URL is received via DNS TXT record.<\/li>\n\n\n\n
Case 0x24 : \u00a0Sleep (ip_4 * 86400 * 1000 ms).<\/li>\n\n\n\n
Case 0x66 : \u00a0Sleep (ip_4 * 3600 * 1000 ms).<\/li>\n\n\n\n
Case 0x38 : \u00a0Create %temp%\\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. The purpose of this file is unknown.<\/li>\n\n\n\n
Case 0x3c: \u00a0Remove %temp%\\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.<\/li>\n<\/ul>\n\n\n\n
Symantec did not attribute the attack to a specific threat actors and has yet to determine the motive behind the attack<\/em>.<\/p>\n\n\n\n
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.” concludes the report that includes Indicators of Compromise.<\/em><\/gwmw><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, malware)<\/strong><\/gwmw><\/gwmw><\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"
Experts spotted a previously undetected backdoor, dubbed Msupedge, that was employed in an attack against a university in Taiwan.\u00a0 Broadcom Symantec researchers discovered a previously undetected backdoor, called Msupedge, that was employed in an attack targeting an unnamed university in Taiwan. The most notable feature of the backdoor is that it relies on DNS tunnelling […]<\/p>\n","protected":false},"author":1,"featured_media":167300,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,3,7,55],"tags":[149,88,4112,9508,9506,10918,30,15293,687,841,1533],"class_list":["post-167298","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-crime","category-malware","category-security","tag-backdoor","tag-cybercrime","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-malware-2","tag-msupedge-backdoor","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司