Overview
The world of cyber threats continues to evolve, with new and sophisticated techniques constantly emerging to bypass traditional security measures. One such emerging threat is Msupedge, a previously unseen backdoor malware that recently targeted a university in Taiwan. This malware, identified as Backdoor.Msupedge, leverages an uncommon method of communication—DNS tunneling—to establish covert connections between compromised systems and a command-and-control (C&C) server. Although DNS tunneling itself is not entirely new, its use in this backdoor malware represents a significant development in how cybercriminals can conceal their operations from traditional detection systems.
Targets
Information
How they operate
The operation begins with the infection vector, which is believed to exploit a recently patched PHP vulnerability (CVE-2024-4577), specifically a CGI argument injection flaw found in all versions of PHP on Windows systems. This vulnerability allows remote code execution, providing an entry point for the attackers. Once the initial compromise occurs, Msupedge installs itself in a hidden directory, such as csidl_drive_fixed\xampp\wuplog.dll or csidl_system\wbem\wmiclnt.dll. These directories are commonly associated with legitimate system files, which helps the malware evade detection by blending in with system processes. The installation paths used are indicative of a strategy to run the malware under the guise of normal operations, further avoiding suspicion.
Once the backdoor is in place, Msupedge uses
DNS tunneling to establish communication with its C&C server. This method allows the malware to bypass conventional network security tools like firewalls and intrusion detection systems (IDS) that might otherwise block more typical communication methods. The backdoor constructs DNS requests with encoded data that represent malicious commands, utilizing a tool based on the publicly available dnscat2. The requests are structured as hostnames that encode commands and exfiltrate data in a way that mimics standard DNS queries, making it challenging for network monitoring systems to differentiate between legitimate and malicious traffic.
The communication process is highly dynamic. Msupedge sends DNS queries where the third octet of the resolved IP address is used as a control mechanism. This IP address acts as a command, and the third octet is evaluated by the malware to determine the action to take. Each different octet triggers a specific function, such as creating processes, downloading files, or even triggering sleep cycles that delay further execution. For example, a third octet value of 145 translates to a hexadecimal value of 0x8a, which instructs the malware to create a new process. Similarly, the malware can trigger sleep modes based on specific DNS queries, allowing it to avoid detection and maintain control over the infected machine over extended periods.
Msupedge supports a range of commands, some of which include downloading files, creating specific temporary files in system directories, and removing files that it generates. It uses DNS TXT records to receive these commands, with each command being executed after being validated by the resolved DNS query. The malware can even manipulate the system’s temporary files and execute payloads based on the instructions received from the C&C server, making it adaptable and persistent. Additionally, the malware appears to be highly modular, adjusting its behavior depending on the resolved DNS query, which is an effective evasion tactic against static detection systems.
In terms of mitigation, the stealthiness of Msupedge highlights the challenges in detecting such sophisticated malware. Traditional methods of blocking malicious traffic may not be sufficient, as DNS tunneling allows the malware to blend in with standard DNS traffic. To counter this, network administrators can implement DNS traffic analysis tools capable of identifying unusual patterns or high volumes of DNS requests. Furthermore, regularly patching vulnerabilities like CVE-2024-4577 is essential to prevent initial exploitation. For organizations, particularly those in academic and research sectors, employing advanced endpoint detection and response (EDR) systems, alongside network monitoring for DNS anomalies, can be key to identifying and mitigating the risks posed by backdoor threats like Msupedge.
MITRE Tactics and Techniques
Persistence (T1547):
Msupedge installs itself as a dynamic link library (DLL) on system directories, allowing it to maintain its presence on the compromised machine. This technique helps it to persist across reboots and maintain access to the system without requiring re-infection.
Command and Control (T1071):
Msupedge utilizes DNS tunneling to communicate with its command-and-control server. This communication method involves sending and receiving DNS traffic, encoding commands and data within the DNS packets, and hiding its activities in plain sight, which makes detection difficult. The malware uses this stealthy technique to exfiltrate information and receive instructions from the C&C server.
Execution (T1059):
The malware executes commands based on the DNS traffic received, interpreting the third octet of the resolved IP address as a control signal. Different octet values trigger different actions, such as creating new processes, downloading files, or sleeping for a set period.
Exfiltration (T1041):
Msupedge uses DNS traffic to exfiltrate data by encoding the results of executed commands in DNS requests. This method ensures that sensitive information can be stealthily sent back to the attackers without triggering traditional network security alerts.
Privilege Escalation (T1078):
While not explicitly detailed in the description, the malware’s behavior and its placement in system directories suggest that it may attempt to leverage existing privileges on the machine to execute actions without detection. This is common for backdoor malware that seeks to avoid alerting administrators.
Collection (T1119):
The malware collects information from the compromised system and sends it back to the attacker through DNS requests. This includes command results and possibly other sensitive system data.
References:
