Summary:
A newly discovered backdoor named Msupedge has been deployed in a cyberattack against an unnamed university in Taiwan. The backdoor stands out due to its unconventional method of communicating with its command-and-control server via DNS traffic, which is a relatively rare and stealthy technique. The origins and objectives behind the Msupedge attack remain unknown. However, it is believed that the attackers gained initial access by exploiting a recently disclosed critical vulnerability in PHP (CVE-2024-4577), which has a high severity rating with a CVSS score of 9.8. This flaw allows for remote code execution, providing a foothold for the attackers to deploy the backdoor.

Msupedge is implemented as a DLL and is installed in two specific system paths: "csidl_drive_fixed\xampp" and "csidl_system\wbem". One of these DLLs, wuplog.dll, is launched by the Apache HTTP server, while the parent process for the second DLL remains unclear. The backdoor's communication mechanism is particularly sophisticated, relying on DNS tunneling to interact with its C&C server. The code of Msupedge is based on the open-source dnscat2 tool, which is known for its use in DNS-based covert channels.

Symantec’s analysis reveals that Msupedge receives commands by resolving domain names via DNS, with the resolved IP address of the C&C server playing a crucial role in determining its behavior. Specifically, the third octet of the resolved IP address is used as a switch case; the value is adjusted by subtracting seven and converting it into hexadecimal, which then triggers specific commands. For example, if the third octet is 145, it converts to 138 (0x8a) after subtraction, which corresponds to a command to create a process based on a DNS TXT record.


The backdoor supports a range of commands, including:

• 0x8a: Create a process using a command received via a DNS TXT record.
• 0x75: Download a file using a URL received via a DNS TXT record.
• 0x24 & 0x66: Sleep for a predetermined time interval.
• 0x38: Create a temporary file at "%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp" with an unknown purpose.
• 0x3c: Delete the temporary file mentioned above.

Security Officer Comments:
This attack is part of a broader threat landscape involving the UTG-Q-010 group, which has also been linked to a new phishing campaign. This campaign uses cryptocurrency and job-related lures to distribute Pupy RAT, an open-source Python-based Remote Access Trojan (RAT). The attack chain involves malicious .lnk files containing an embedded DLL loader, ultimately leading to the deployment of the Pupy RAT payload. Pupy RAT is notable for its capabilities, including reflective DLL loading and in-memory execution, making it a versatile tool for attackers.

Suggested Corrections:
Steps to Mitigate PHP Vulnerability:

1. Upgrade PHP:

• Upgrade to PHP versions 8.3.8, 8.2.20, or 8.1.29, which include patches for this vulnerability.
• Download the latest versions from the official PHP website.

2. Apply Temporary Suggested Correctionss (if upgrade is not immediately possible):

• For users who cannot upgrade PHP immediately, apply the following Apache Rewrite Rules to block attacks:
  apache
  
  RewriteEngine On
  RewriteCond %{QUERY_STRING} ^%ad [NC]
  RewriteRule .? - [F,L]
• For XAMPP users on Windows, if the PHP CGI feature is not required, disable it by editing the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf):
  apache
  
  # ScriptAlias /php-cgi/ "C:/xampp/php/"

3. Verify Configuration:

• Ensure that the patches or mitigations are correctly applied by checking the server configurations and running security scans using tools like Nessus or other vulnerability scanners.

4. Consider Migration to More Secure Architectures:

• Evaluate migrating to more secure PHP execution methods such as Mod-PHP, FastCGI, or PHP-FPM, as PHP-CGI is outdated and more prone to such vulnerabilities.

IOCs:
https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns

Link(s):
https://thehackernews.com/2024/08/hackers-exploit-php-vulnerability-to.html