UPDATED 06:00 EST / AUGUST 20 2024

SECURITY

Symantec warns of new sophisticated backdoor exploiting patched PHP vulnerability

A new report out today from Symantec, a division of Broadcom Inc., is warning of a new sophisticated backdoor threat that has been spotted in the wild targeting a university in Taiwan.

Dubbed Backdoor.Msupedge, the backdoor uses an infrequently seen technique that involves communicating with a command-and-control service via DNS traffic. Though the technique has been used in the past by multiple actors, it’s not often seen.

Msupedge is a backdoor in the form of a dynamic link library and has been found installed in the following file paths:

• csidl_drive_fixed\xampp\wuplog.dll
• csidl_system\wbem\wmiclnt.dll

While wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll is unknown. Msupedge uses DNS tunneling for communication with the C&C server, with the code for the DNS tunneling tool based on the publicly available dnscat2 tool.

The backdoor and C&C communicate by performing name resolution. The results can include error notifications that include the success or failure of memory allocation, decompression of received commands, and execution of the commands. Msupedge is also noted as not only receiving commands via DNS traffic but also using the resolved IP address of the C&C server as a command.

In the case of the Taiwanese university, the attack vector was the exploitation of a recently patched PHP vulnerability that allows for a CGI argument injection flaw affecting all versions of PHP installed on Windows systems. Successful exploitation of the vulnerability can also lead to remote code execution.

The origin of the backdoor is unknown.

“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks,” the report notes. “To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.”

Image: SiliconANGLE/Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU