Friend
Professional
- Messages
- 2,659
- Reaction score
- 867
- Points
- 113
The new malware uses a non-standard method of communication.
As a result of a cyberattack on one of the universities in Taiwan, a previously unknown malicious program was identified, which was tentatively named Backdoor.Msupedge. The program is distinguished by a unique method of communication with the C2 server via DNS traffic. Symantec specialists spoke about their find in a report.
Backdoor.Msupedge is a backdoor executed as a dynamic library (DLL). The experts found the malware in two different directories on the attacked system: in the directory used by Apache and in the system folder, where the DLL is usually associated with WMI (Windows Management Instrumentation). The main task of the program is to receive commands from attackers through the domain name resolution process.
To communicate with the C&C server, Backdoor.Msupedge uses a DNS tunneling technique based on the publicly available dnscat2 tool, which allows attackers to transmit commands through domain name resolution. For example, when resolving a certain domain name, the program receives the IP address of the management server, which is used to execute commands on the infected system.
The program supports many different commands, including creating processes, downloading files, temporarily suspending work, and creating temporary files. At the same time, the execution of each command is accompanied by feedback, which includes information about memory allocation, decompression and success of tasks. This data is also transmitted to attackers through DNS queries, which makes it possible to hide the activity of the malicious program.
Particular attention should be paid to the mechanism for changing the behavior of the program depending on the values of individual octets (Octet) of the IP address, which is returned when the domain name is resolved. For example, one possible scenario is to use the third octet of the address, which, after certain mathematical operations, determines which command the backdoor will execute.
It is assumed that the initial phase of infection was carried out by exploiting a recently discovered vulnerability in PHP CVE-2024-4577 (CVSS score: 9.8). The RCE flaw occurred due to an error in the handling of CGI arguments on Windows systems. The bug primarily affects Windows in Chinese and Japanese. Although the vulnerability was recently fixed, many systems remain at risk, and numerous exploitation attempts have been recorded in recent weeks.
So far, researchers have not been able to establish who is behind the attack, and the motives of the attackers are unclear. However, the use of such sophisticated communication and stealth techniques indicates the highly skilled developers of Backdoor.Msupedge, making the threat particularly dangerous. Experts urge owners of vulnerable systems to immediately update their software and pay special attention to unusual DNS traffic that may indicate the presence of a threat.
From November 2023 to April 2024, Insikt Group researchers recorded a cyberespionage campaign aimed at Taiwanese government, academic, technological, and diplomatic organizations. According to experts, the RedJuliett cyber group, allegedly associated with China and operating from the city of Fuzhou, is behind these attacks.
Source
As a result of a cyberattack on one of the universities in Taiwan, a previously unknown malicious program was identified, which was tentatively named Backdoor.Msupedge. The program is distinguished by a unique method of communication with the C2 server via DNS traffic. Symantec specialists spoke about their find in a report.
Backdoor.Msupedge is a backdoor executed as a dynamic library (DLL). The experts found the malware in two different directories on the attacked system: in the directory used by Apache and in the system folder, where the DLL is usually associated with WMI (Windows Management Instrumentation). The main task of the program is to receive commands from attackers through the domain name resolution process.
To communicate with the C&C server, Backdoor.Msupedge uses a DNS tunneling technique based on the publicly available dnscat2 tool, which allows attackers to transmit commands through domain name resolution. For example, when resolving a certain domain name, the program receives the IP address of the management server, which is used to execute commands on the infected system.
The program supports many different commands, including creating processes, downloading files, temporarily suspending work, and creating temporary files. At the same time, the execution of each command is accompanied by feedback, which includes information about memory allocation, decompression and success of tasks. This data is also transmitted to attackers through DNS queries, which makes it possible to hide the activity of the malicious program.
Particular attention should be paid to the mechanism for changing the behavior of the program depending on the values of individual octets (Octet) of the IP address, which is returned when the domain name is resolved. For example, one possible scenario is to use the third octet of the address, which, after certain mathematical operations, determines which command the backdoor will execute.
It is assumed that the initial phase of infection was carried out by exploiting a recently discovered vulnerability in PHP CVE-2024-4577 (CVSS score: 9.8). The RCE flaw occurred due to an error in the handling of CGI arguments on Windows systems. The bug primarily affects Windows in Chinese and Japanese. Although the vulnerability was recently fixed, many systems remain at risk, and numerous exploitation attempts have been recorded in recent weeks.
So far, researchers have not been able to establish who is behind the attack, and the motives of the attackers are unclear. However, the use of such sophisticated communication and stealth techniques indicates the highly skilled developers of Backdoor.Msupedge, making the threat particularly dangerous. Experts urge owners of vulnerable systems to immediately update their software and pay special attention to unusual DNS traffic that may indicate the presence of a threat.
From November 2023 to April 2024, Insikt Group researchers recorded a cyberespionage campaign aimed at Taiwanese government, academic, technological, and diplomatic organizations. According to experts, the RedJuliett cyber group, allegedly associated with China and operating from the city of Fuzhou, is behind these attacks.
Source
