Summary: A new backdoor, Backdoor.Msupedge, was discovered in an attack on a Taiwanese university, utilizing DNS tunneling for communication with its command-and-control server. This backdoor employs a unique method of command execution based on the resolved IP address, highlighting a sophisticated approach to malware deployment.
Threat Actor: Unknown | unknown
Victim: University in Taiwan | University in Taiwan
Key Point :
- The backdoor communicates with its C&C server using DNS traffic, a technique that, while known, is infrequently observed.
- Initial intrusion likely exploited a recently patched PHP vulnerability (CVE-2024-4577), allowing for remote code execution.
- Msupedge’s behavior changes based on the third octet of the resolved IP address, enabling various commands such as creating processes and downloading files.
- Indicators of compromise include specific file hashes associated with the backdoor and web shell.
Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns