A new report out today from Symantec, a division of Broadcom Inc., is warning of a new sophisticated backdoor threat that has been spotted in the wild targeting a university in Taiwan.
Dubbed Backdoor.Msupedge, the backdoor uses an infrequently seen technique that involves communicating with a command-and-control service via DNS traffic. Though the technique has been used in the past by multiple actors, it’s not often seen.
Msupedge is a backdoor in the form of a dynamic link library and has been found installed in the following file paths:
• csidl_drive_fixed\xampp\wuplog.dll
• csidl_system\wbem\wmiclnt.dll
While wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll is unknown. Msupedge uses DNS tunneling for communication with the C&C server, with the code for the DNS tunneling tool based on the publicly available dnscat2 tool.
The backdoor and C&C communicate by performing name resolution. The results can include error notifications that include the success or failure of memory allocation, decompression of received commands, and execution of the commands. Msupedge is also noted as not only receiving commands via DNS traffic but also using the resolved IP address of the C&C server as a command.
In the case of the Taiwanese university, the attack vector was the exploitation of a recently patched PHP vulnerability that allows for a CGI argument injection flaw affecting all versions of PHP installed on Windows systems. Successful exploitation of the vulnerability can also lead to remote code execution.
The origin of the backdoor is unknown.
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks,” the report notes. “To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.”