A newly identified security threat utilizing a rarely seen DNS-based communication method has been discovered by threat analysts in an attack targeting a Taiwanese university.
The backdoor, dubbed Backdoor.Msupedge and identified by Symantec, communicates with a command-and-control (C2) server by using DNS traffic, a technique known but infrequently employed by cybercriminals.
Msupedge operates as a dynamic link library (DLL) and has been found installed in specific file paths within the compromised systems. The DLL can execute commands received through DNS queries; a method that not only helps it evade detection but also facilitates stealthy control over infected machines.
Among the most distinctive features of Msupedge is its ability to modify its behavior based on the resolved IP address from the DNS query. Specifically, the third octet of the resolved IP address is used as a switch to determine the command to be executed, ranging from creating processes to downloading files or making the system sleep for a specified duration.
Symantec explained that this new backdoor supports several commands, including:
-
Creating a process via DNS TXT records
-
Downloading files from URLs received through DNS
-
Inducing sleep modes in the infected machine for up to 24 hours
-
Removing temporary files
The initial intrusion is believed to have occurred through the exploitation of a recent PHP vulnerability (CVE-2024-4577), which impacts all PHP versions installed on Windows. This flaw, a CGI argument injection vulnerability, can lead to remote code execution, making it a serious concern for administrators managing Windows-based web servers.
Read more on CVE-2024-4577: Ransomware Surges Annually Despite Law Enforcement Takedowns
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown,” the company wrote.
To protect against this threat, the security firm has included a list of indicators of compromise (IOC) in its latest advisory about Msupedge.