Stealthy Communications Used by New Backdoor Targeting Taiwan

Short Summary:

A new backdoor known as Backdoor.Msupedge has been discovered, targeting a university in Taiwan. This backdoor employs DNS tunneling to communicate with its command-and-control server, utilizing a unique technique that is not commonly seen. It is installed as a dynamic link library (DLL) and can execute various commands based on the resolved IP address from the C&C server.

Key Points:

  • Backdoor.Msupedge targets a university in Taiwan.
  • Communicates with a C&C server using DNS traffic.
  • Installed as a dynamic link library (DLL) in specific file paths.
  • Uses DNS tunneling based on the dnscat2 tool.
  • Commands are received via DNS TXT records.
  • Initial intrusion likely exploited a PHP vulnerability (CVE-2024-4577).
  • Behavior of the backdoor changes based on the third octet of the resolved IP address.
  • Multiple commands supported, including creating processes and downloading files.
  • Indicators of compromise (IOCs) have been identified for detection.

MITRE ATT&CK TTPs – created by AI

  • Command and Control (T1071)
    • Uses DNS tunneling for communication with the C&C server.
  • Execution (T1059)
    • Executes commands received via DNS TXT records.
  • Persistence (T1547)
    • Installed as a DLL in specific file paths for persistence.
  • Exploitation of Vulnerability (T1203)
    • Initial intrusion likely through a PHP vulnerability (CVE-2024-4577).

used by multiple threat actors, it is nevertheless something that is not often seen. 

Msupedge analysis

Msupedge is a backdoor in the form of a dynamic link library (DLL). It has been found installed in the following file paths:

  • csidl_drive_fixedxamppwuplog.dll
  • csidl_systemwbemwmiclnt.dll

While wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll is unknown.

Msupedge uses DNS tunneling for communication with the C&C server. The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution. The host names that are resolved are structured as follows:

CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution. 

Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

e08dc1c3987d17451a3e86c04ed322a9424582e2f2cb6352c892b7e0645eda43 – Backdoor.Msupedge 

f5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36 – Backdoor.Msupedge 

a89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480 – Web shell 

 

Source: Original Post