Discover the critical Msupedge backdoor targeting Taiwan, using DNS tunneling for covert C&C communication. Learn how this exploit exposes new cybersecurity risks

Continue reading
A previously unseen backdoor, dubbed Msupedge, has been identified targeting a university in Taiwan. This malicious tool leverages a sophisticated and infrequently used method of communication, utilizing DNS traffic to establish a covert channel with its Command-and-Control (C&C) server. The emergence of this backdoor is particularly concerning, as it underscores the persistent evolution of cyber threats exploiting newly discovered vulnerabilities to infiltrate systems.
This Threatfeed aims to provide an in-depth analysis of the Msupedge backdoor, its infection vector, methods of communication, operational commands, and potential mitigation strategies. We will also delve into the specific vulnerabilities exploited by threat actors, with a focus on the recently patched PHP remote code execution flaw (CVE-2024-4577).
Msupedge is a sophisticated backdoor implemented as a dynamic link library (DLL). It was discovered during an investigation into a cyberattack against a Taiwanese university. The backdoor's distinguishing characteristic is its use of DNS tunneling for C&C communication—a method not frequently observed in the wild, despite being known in cybersecurity circles.
The backdoor has been installed in the following file paths on the compromised systems:
The wuplog.dll is loaded by the Apache HTTP server process (httpd.exe), while the parent process for wmiclnt.dll remains unidentified.
The most notable feature of Msupedge is its use of DNS tunneling to communicate with its C&C server. DNS tunneling allows data to be encapsulated within DNS queries and responses, enabling covert communication channels that are difficult to detect. The backdoor's DNS tunneling capability is based on the open-source dnscat2 tool, which is publicly available and has been utilized by various threat actors in the past.
Msupedge receives commands from its C&C server by performing DNS name resolution. The hostnames that are resolved are structured to convey specific instructions, and the results of command executions are encoded into the DNS responses. This method allows the backdoor to perform various malicious actions while remaining under the radar.
The backdoor also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command input. Specifically, the third octet of the resolved IP address plays a critical role in determining the behavior of the backdoor. The value of this octet, minus seven, dictates the specific action the backdoor will take. For example, if the third octet is 145, it translates to 138 (0x8a in hexadecimal), triggering a particular command.
Msupedge supports multiple commands, which are executed based on the DNS responses received from the C&C server. The following is a breakdown of the commands supported by the backdoor:
These commands demonstrate the flexibility and control Msupedge grants its operators, enabling them to execute a range of malicious activities on compromised systems.
The initial intrusion leading to the deployment of Msupedge is believed to have been facilitated through the exploitation of a recently patched PHP vulnerability—CVE-2024-4577. This critical flaw is a CGI argument injection vulnerability affecting all versions of PHP installed on Windows systems running in CGI mode.
CVE-2024-4577 bypasses protections previously implemented by the PHP team for CVE-2012-1823, which was exploited in historical malware attacks targeting Linux and Windows servers. Successful exploitation of this flaw allows unauthenticated attackers to execute arbitrary code on the affected systems, leading to full system compromise.
Symantec’s Threat Hunter Team, who discovered the Msupedge backdoor, observed that the initial compromise likely occurred shortly after the release of patches for CVE-2024-4577. The vulnerability quickly garnered attention from multiple threat actors, who began scanning for vulnerable systems. Notably, the TellYouThePass ransomware gang started exploiting this flaw less than 48 hours after patches were released, highlighting the speed at which attackers can capitalize on newly disclosed vulnerabilities.
To protect against Msupedge and similar threats, it is crucial to monitor for specific Indicators of Compromise (IOCs). Symantec Endpoint products are equipped to detect and block malicious files associated with this backdoor. Some of the key IOCs include:
Given the sophisticated nature of Msupedge and its stealthy communication techniques, it is essential to implement robust security measures. Organizations should ensure that all systems are patched promptly, particularly those running PHP in CGI mode. Regularly updating antivirus and endpoint protection software is also critical to detecting and mitigating such threats.
Furthermore, network traffic should be closely monitored for unusual DNS queries, which may indicate the presence of DNS tunneling activities. Implementing DNS filtering and blocking known malicious domains can also help prevent communication with C&C servers.
The discovery of the Msupedge backdoor highlights the ever-evolving tactics employed by cybercriminals to infiltrate systems and maintain persistence. By exploiting the CVE-2024-4577 vulnerability, attackers were able to deploy a highly sophisticated backdoor capable of executing a wide range of commands via DNS traffic.
To defend against such threats, it is imperative for organizations to stay vigilant, promptly apply security patches, and employ comprehensive monitoring solutions. As cyber threats continue to evolve, so too must the strategies and technologies we use to combat them.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.