Threat actors have deployed a previously undocumented backdoor dubbed ‘Msupedge’ in an attack targeting an unnamed university in Taiwan, according to new findings from the Symantec Threat Hunter Team, part of Broadcom.
The attack stands out because of its use of DNS traffic for command-and-control (C&C) communication, which is not unheard of but rarely seen in the wild, Symantec said.
In the observed attack, the adversary has been exploiting a recently patched PHP vulnerability tracked as CVE-2024-4577. This is an OS command injection flaw that can be exploited for OS commands execution via specially crafted HTTP request.
Msupedge is a backdoor embedded within a dynamic link library (DLL) that allows attackers to maintain persistent access to the compromised systems. The backdoor uses DNS tunneling for communication with the C&C server.
The backdoor's DNS tunneling functionality is reportedly based on the publicly available dnscat2 tool, a popular utility among penetration testers and threat actors alike. Msupedge not only receives commands via DNS queries but also interprets the resolved IP address of the C&C server, ctl.msedeapi[.]net, as a command. This dual-purpose communication method allows attackers to conceal their activities within legitimate DNS traffic, significantly reducing the risk of detection by security solutions.
According to Symantec, multiple threat actors have been observed scanning for vulnerable systems in recent weeks, indicating that the exploitation of CVE-2024-4577 is becoming increasingly widespread. The attackers behind the Msupedge backdoor are believed to have used this vulnerability to gain initial access to the university's network.
Symantec said it has yet to attribute the threat actor behind the campaign due to lack of evidence that would allow to link the attack to a specific group or nation-state.