Unknown attackers have deployed a newly found backdoor dubbed Msupedge on a college’s Home windows methods in Taiwan, probably by exploiting a just lately patched PHP distant code execution vulnerability (CVE-2024-4577).
CVE-2024-4577 is a important PHP-CGI argument injection flaw patched in June that impacts PHP installations operating on Home windows methods with PHP operating in CGI mode. It permits unauthenticated attackers to execute arbitrary code and leads to finish system compromise following profitable exploitation.
The menace actors dropped the malware as two dynamic hyperlink libraries (weblog.dll and wmiclnt.dll), the previous loaded by the httpd.exe Apache course of.
Msupedge’s most noteworthy function is the usage of DNS visitors to speak with the command-and-control (C&C) server. Whereas many menace teams have adopted this system up to now, it is not generally noticed within the wild.
It leverages DNS tunneling (a function applied primarily based on the open-source dnscat2 device), which permits knowledge to be encapsulated inside DNS queries and responses to obtain instructions from its C&C server.
The attackers can use Msupedge to execute numerous instructions, that are triggered primarily based on the third octet of the resolved IP handle of the C&C server. The backdoor additionally helps a number of instructions, together with creating processes, downloading information, and managing short-term information.
PHP RCE flaw exploitation
Symantec’s Menace Hunter Staff, which investigated the incident and noticed the brand new malware, believes the attackers gained entry to the compromised methods after exploiting the CVE-2024-4577 vulnerability.
This safety flaw bypasses protections applied by the PHP crew for CVE-2012-1823, which was exploited in malware assaults years after its remediation to focus on Linux and Home windows servers with RubyMiner malware.
“The preliminary intrusion was probably by means of the exploit of a just lately patched PHP vulnerability (CVE-2024-4577),” mentioned Symantec’s Menace Hunter Staff.
“Symantec has seen a number of menace actors scanning for susceptible methods in current weeks. Thus far, now we have discovered no proof permitting us to attribute this menace and the motive behind the assault stays unknown.”
On Friday, a day after the PHP maintainers launched CVE-2024-4577 patches, WatchTowr Labs launched proof-of-concept (PoC) exploit code. The identical day, the Shadowserver Basis reported observing exploitation makes an attempt on their honeypots.
Someday later, lower than 48 hours after patches have been launched, the TellYouThePass ransomware gang additionally began exploiting the vulnerability to deploy webshells and encrypt victims’ methods.