Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Taiwan University Under Fire From Unique DLL Backdoor
It's unclear who the "Msupedge" threat actors were or what the motive for the attack was.
A never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan, using a unique communications technique.
After Symantec researchers caught the malware being deployed in an attack on a Taiwan university, they determined it communicates with its command-and-control (C2) server via DNS traffic — which is a known, but infrequently seen technique, according to a Symantec blog post this week.
The backdoor comes in the form of a dynamic link library (DLL), which is installed in two file paths:
csidl_drive_fixed\xampp\wuplog.dll
csidl_system\wbem\wmiclnt.dll
The backdoor then waits to receive commands via DNS traffic, and uses the resolved IP address of the C2 server as an initial command.
The researchers believe that the initial intrusion was possibly through the exploit of a recently patched PHP vulnerability, known as CVE-2024-4577. The bug is a CGI argument injection flaw that affects all versions of PHP installed in unpatched Windows instances. If successful, the exploitation of the bug can lead to remote code execution (RCE).
The researchers reported that they have recently discovered several threat actors scanning for vulnerable systems, but "have found no evidence allowing us to attribute [Msupedge], and the motive behind the attack remains unknown."
Read more about:
DR Global Asia PacificAbout the Author
You May Also Like