Backdoor.Msupedge: New Malware Hides in DNS Traffic

As a result of a cyberattack on a Taiwanese university, a previously unknown malware, tentatively named Backdoor.Msupedge, was uncovered. This program is distinguished by its unique method of communication with the C2 server via DNS traffic. Symantec specialists detailed their findings in a report.

Backdoor.Msupedge is a backdoor implemented as a dynamic-link library (DLL). Experts discovered the malware in two distinct directories on the compromised system: in a directory used by Apache, and in a system folder where the DLL typically interacts with Windows Management Instrumentation (WMI). The primary function of the program is to receive commands from attackers through the domain name resolution process.

For communication with the command server, Backdoor.Msupedge employs a DNS tunneling method based on the publicly available tool dnscat2, allowing attackers to transmit commands through domain name resolution. For instance, when a specific domain name is resolved, the program receives the IP address of the command server, which is then used to execute commands on the infected system.

The program supports a wide range of commands, including process creation, file downloads, temporary suspension of operations, and the creation of temporary files. Each command’s execution is accompanied by feedback, including information on memory allocation, decompression, and task completion success. This data is also transmitted to the attackers via DNS queries, effectively masking the malware’s activities.

Noteworthy is the mechanism that alters the program’s behavior based on the values of individual octets of the IP address returned during domain name resolution. For example, one possible scenario involves using the third octet of the address, which, after certain mathematical operations, determines the specific command the backdoor will execute.

It is believed that the initial phase of infection was carried out by exploiting a recently discovered vulnerability in PHP, CVE-2024-4577 (CVSS score: 9.8). The RCE flaw arose from an error in processing CGI arguments on Windows systems. The vulnerability primarily affects Windows systems configured in Chinese and Japanese languages. Despite the vulnerability being recently patched, many systems remain at risk, and numerous exploitation attempts have been recorded in recent weeks.

Researchers have not yet identified the perpetrators of the attack, nor have the motives of the attackers become clear. Nevertheless, the use of such a sophisticated communication and stealth technique points to the high skill level of the Backdoor.Msupedge developers, making this threat particularly dangerous. Experts urge owners of vulnerable systems to immediately update their software and pay special attention to unusual DNS traffic, which may indicate the presence of a threat.

Between November 2023 and April 2024, researchers from Insikt Group documented a cyber-espionage campaign targeting governmental, academic, technological, and diplomatic organizations in Taiwan. According to experts, the cyber group RedJuliett, presumably linked to China and operating out of Fuzhou, is behind these attacks.