A new backdoor named Backdoor.Msupedge targets a university in Taiwan and communicates with its C2 server using DNS tunneling based on the dnscat2 tool. It is deployed as a DLL, receives commands via DNS TXT records, and its behavior varies with the third octet of the resolved IP address; the intrusion is suspected to involve a PHP vulnerability (CVE-2024-4577). #Backdoor.Msupedge #DNS #dnscat2 #CVE-2024-4577 #Taiwan #University
Keypoints
- Backdoor.Msupedge targets a university in Taiwan.
- Communicates with a C2 server using DNS traffic and DNS TXT records for commands.
- Installed as a DLL in specific file paths for persistence (DLL-based backdoor).
- DNS tunneling implementation is based on the publicly available dnscat2 tool.
- Initial intrusion likely exploited a PHP vulnerability (CVE-2024-4577).
- Backdoor behavior changes based on the third octet of the resolved IP address.
- Supports multiple commands (e.g., creating processes, downloading files) and has identified IOCs for detection.
MITRE Techniques
- [T1071] Command and Control β βUses DNS tunneling for communication with the C&C server.β
- [T1059] Execution β βExecutes commands received via DNS TXT records.β
- [T1547] Persistence β βInstalled as a DLL in specific file paths for persistence.β
- [T1203] Exploitation of Vulnerability β βInitial intrusion likely through a PHP vulnerability (CVE-2024-4577).β
Indicators of Compromise
- [Hash] context β file hashes associated with Backdoor.Msupedge and Web shell; e08dc1c3987d17451a3e86c04ed322a9424582e2f2cb6352c892b7e0645eda43, f5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36, and a89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480
- [File name] context β DLLs associated with Msupedge; csidl_drive_fixedxamppwuplog.dll, csidl_systemwbemwmiclnt.dll
Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns