A University in Taiwan has been attacked with a previously undocumented Windows backdoor that uses an usual, but not entirely new, method of communication.
Cybersecurity researchers from the Symantec Threat Hunter Team published their findings on Msupedge, which is designed as a dynamic link library (.DLL) with a particularly distinctive feature of communicating with the C2 via DNS traffic.
Msupedge grants its operators the ability to create processes on the target endpoint, download files, sleep for a predetermined time interval, create a temporary file (purpose unknown), and delete that said file.
Missing key details
“The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic,” the researchers said in their report. “Msupedge uses DNS tunneling for communication with the C&C server. The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution.”
The researchers added that the technique is known, and has been used by “multiple threat actors”. “It is nevertheless something that is not often seen.”
We also don’t know exactly what the threat actors were looking for, or if they found it. We do know that they breached the victim devices through a PHP vulnerability that allows remote code execution (RCE). The vulnerability, tracked as CVE-2024-4577, carries a severity score of 9.8/10, making it a critical flaw.
Other important details are still missing – as it isn’t known who the threat actors behind the attack are, or who the victim is (other than it is an unnamed university in Taiwan).
Given the current political climate, we can only speculate that this is the work of a Chinese state-sponsored group running cyber-espionage campaigns, targeting intellectuals and other academia members. Volt Typhoon is one such organization, which was observed in the past, running similar campaigns.
Via TheHackerNews
+ There are no comments
Add yours