August 20, 2024 By Sergiu Gatlan
Unknown attackers have deployed a newly discovered backdoor dubbed Msupedge on a university's Windows systems in Taiwan, likely by exploiting a recently patched PHP remote code execution vulnerability (CVE-2024-4577).
CVE-2024-4577 is a critical PHP-CGI argument injection flaw patched in June that impacts PHP installations running on Windows systems with PHP running in CGI mode. It allows unauthenticated attackers to execute arbitrary code and leads to complete system compromise following successful exploitation.
The threat actors dropped the malware as two dynamic link libraries (weblog.dll and wmiclnt.dll), the former loaded by the httpd.exe Apache process.
Msupedge's most noteworthy feature is the use of DNS traffic to communicate with the command-and-control (C&C) server. While many threat groups have adopted this technique in the past, it's not commonly observed in the wild.