Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Msupedge (Backdoor) – Malware

February 14, 2025
Reading Time: 4 mins read
in Malware
Msupedge (Backdoor) – Malware

Msupedge

Type of Malware

Backdoor

Targeted Countries

Taiwan

Date of Initial Activity

2024

Motivation

Cyberwarfare

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows

Overview

The world of cyber threats continues to evolve, with new and sophisticated techniques constantly emerging to bypass traditional security measures. One such emerging threat is Msupedge, a previously unseen backdoor malware that recently targeted a university in Taiwan. This malware, identified as Backdoor.Msupedge, leverages an uncommon method of communication—DNS tunneling—to establish covert connections between compromised systems and a command-and-control (C&C) server. Although DNS tunneling itself is not entirely new, its use in this backdoor malware represents a significant development in how cybercriminals can conceal their operations from traditional detection systems.

Targets

Information

How they operate

The operation begins with the infection vector, which is believed to exploit a recently patched PHP vulnerability (CVE-2024-4577), specifically a CGI argument injection flaw found in all versions of PHP on Windows systems. This vulnerability allows remote code execution, providing an entry point for the attackers. Once the initial compromise occurs, Msupedge installs itself in a hidden directory, such as csidl_drive_fixed\xampp\wuplog.dll or csidl_system\wbem\wmiclnt.dll. These directories are commonly associated with legitimate system files, which helps the malware evade detection by blending in with system processes. The installation paths used are indicative of a strategy to run the malware under the guise of normal operations, further avoiding suspicion. Once the backdoor is in place, Msupedge uses DNS tunneling to establish communication with its C&C server. This method allows the malware to bypass conventional network security tools like firewalls and intrusion detection systems (IDS) that might otherwise block more typical communication methods. The backdoor constructs DNS requests with encoded data that represent malicious commands, utilizing a tool based on the publicly available dnscat2. The requests are structured as hostnames that encode commands and exfiltrate data in a way that mimics standard DNS queries, making it challenging for network monitoring systems to differentiate between legitimate and malicious traffic. The communication process is highly dynamic. Msupedge sends DNS queries where the third octet of the resolved IP address is used as a control mechanism. This IP address acts as a command, and the third octet is evaluated by the malware to determine the action to take. Each different octet triggers a specific function, such as creating processes, downloading files, or even triggering sleep cycles that delay further execution. For example, a third octet value of 145 translates to a hexadecimal value of 0x8a, which instructs the malware to create a new process. Similarly, the malware can trigger sleep modes based on specific DNS queries, allowing it to avoid detection and maintain control over the infected machine over extended periods. Msupedge supports a range of commands, some of which include downloading files, creating specific temporary files in system directories, and removing files that it generates. It uses DNS TXT records to receive these commands, with each command being executed after being validated by the resolved DNS query. The malware can even manipulate the system’s temporary files and execute payloads based on the instructions received from the C&C server, making it adaptable and persistent. Additionally, the malware appears to be highly modular, adjusting its behavior depending on the resolved DNS query, which is an effective evasion tactic against static detection systems. In terms of mitigation, the stealthiness of Msupedge highlights the challenges in detecting such sophisticated malware. Traditional methods of blocking malicious traffic may not be sufficient, as DNS tunneling allows the malware to blend in with standard DNS traffic. To counter this, network administrators can implement DNS traffic analysis tools capable of identifying unusual patterns or high volumes of DNS requests. Furthermore, regularly patching vulnerabilities like CVE-2024-4577 is essential to prevent initial exploitation. For organizations, particularly those in academic and research sectors, employing advanced endpoint detection and response (EDR) systems, alongside network monitoring for DNS anomalies, can be key to identifying and mitigating the risks posed by backdoor threats like Msupedge.

MITRE Tactics and Techniques

Persistence (T1547):
Msupedge installs itself as a dynamic link library (DLL) on system directories, allowing it to maintain its presence on the compromised machine. This technique helps it to persist across reboots and maintain access to the system without requiring re-infection.
Command and Control (T1071):
Msupedge utilizes DNS tunneling to communicate with its command-and-control server. This communication method involves sending and receiving DNS traffic, encoding commands and data within the DNS packets, and hiding its activities in plain sight, which makes detection difficult. The malware uses this stealthy technique to exfiltrate information and receive instructions from the C&C server.
Execution (T1059):
The malware executes commands based on the DNS traffic received, interpreting the third octet of the resolved IP address as a control signal. Different octet values trigger different actions, such as creating new processes, downloading files, or sleeping for a set period.
Exfiltration (T1041):
Msupedge uses DNS traffic to exfiltrate data by encoding the results of executed commands in DNS requests. This method ensures that sensitive information can be stealthily sent back to the attackers without triggering traditional network security alerts.
Privilege Escalation (T1078):
While not explicitly detailed in the description, the malware’s behavior and its placement in system directories suggest that it may attempt to leverage existing privileges on the machine to execute actions without detection. This is common for backdoor malware that seeks to avoid alerting administrators.
Collection (T1119):
The malware collects information from the compromised system and sends it back to the attacker through DNS requests. This includes command results and possibly other sensitive system data.  
References:
  • New Backdoor Targeting Taiwan Employs Stealthy Communications
Tags: BackdoorsCyber threatsMalwareMsupedgeTaiwanVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial