A new backdoor called Msupedge has been identified in a cyber attack targeting a university in Taiwan.
According to the Symantec Threat Hunter Team, the backdoor is notable for using DNS traffic to communicate with a command-and-control (C&C) server. The origins of the backdoor and the motives behind the attack remain unknown.
The attack is believed to have exploited a critical PHP vulnerability (CVE-2024-4577) to gain initial access for deploying Msupedge, which is a DLL installed in specific paths on the system.
Msupedge relies on DNS tunneling for communication with the C&C server, with code inspired by the open-source tool dnscat2.
The backdoor receives commands through DNS traffic and uses the resolved IP address of the C&C server for command execution.
Commands supported by Msupedge include creating processes, downloading files, sleeping for intervals, creating temporary files, and deleting files.
Additionally, a threat group known as UTG-Q-010 has been linked to a phishing campaign distributing the Pupy RAT malware.
The campaign involves the use of malicious .lnk files with embedded DLL loaders to deploy the Pupy RAT payload.
