New Backdoor Targeting Taiwan Employs Stealthy Communications

Introduction

On August 20, 2024, Symantec released a security bulletin revealing a previously unseen backdoor, dubbed "Backdoor.Msupedge," that targets a university in Taiwan. The Backdoor is notable for using DNS traffic to communicate with a command-and-control (C&C) server, a technique not commonly seen in cyber attacks.

Symantec's threat intelligence team first discovered the attack during routine monitoring of university networks in Taiwan. The Backdoor, identified as "Backdoor. Msupedge," operates by leveraging DNS tunnelling. This method involves covertly using DNS queries and responses to communicate with a remote C&C server.

Report Overview

Backdoor. Msupedge is a dynamic link library (DLL) that has been found installed in specific file paths on the infected systems:

• csidl_drive_fixed\xampp\wuplog.dll
• csidl_system\wbem\wmiclnt.dll

While wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll remains unknown.

The Backdoor communicates with its C&C server through DNS traffic using code based on the publicly available dnscat2 tool. This communication occurs through DNS name resolution, with the Backdoor sending encoded data as part of the DNS queries. The resolved IP address of the C&C server, ctl. msedeapi[.]net contains a critical command within its third octet, which directs the behaviour of the Backdoor.

The specific commands supported by the Backdoor include:

0x8a: Create process via DNS TXT record

0x75: Download file from a URL received via DNS TXT record

0x24: Sleep for a specified duration

0x66: Sleep for a shorter duration

0x38: Create a temporary file (purpose unknown)

0x3c: Remove the created temporary file

The initial infection vector is believed to be an exploit of a recently patched PHP vulnerability, CVE-2024-4577. This vulnerability, a CGI argument injection flaw, affects all versions of PHP installed on Windows operating systems and can lead to remote code execution if exploited. Although Symantec has detected multiple threat actors scanning for this vulnerability, the exact attribution for this attack remains undetermined, and the motives behind the attack are currently unknown.

The implications of this attack are significant, particularly for institutions in Taiwan. The Backdoor's stealthy nature and ability to leverage DNS traffic for communication make it challenging to detect and mitigate. Organizations running vulnerable versions of PHP on Windows are particularly at risk.

Insights and Analysis

To mitigate the threat the Backdoor poses, organizations are advised to apply the latest security patches for PHP, particularly those addressing CVE-2024-4577. Additionally, monitoring DNS traffic for unusual activity and implementing robust endpoint protection can help detect and prevent such backdoor activities.

Symantec has provided protection updates to address this threat, and users are encouraged to visit the Symantec Protection Bulletin for the latest details.

Indicators of Compromise (IoCs)

MITRE ATT&CK Framework

References

New Backdoor Targeting Taiwan Employs Stealthy Communications

Previously unseen backdoor communicates with command-and-control server using DNS traffic.

Symantec Enterprise BlogsThreat Hunter TeamSymantec

NVD - CVE-2024-4577

National Institute of Standards and Technology logo