A newly discovered backdoor, dubbed Backdoor.Msupedge, was used in an attack on a Taiwanese university, leveraging an unusual communication method through DNS traffic to reach its command-and-control (C&C) server. While DNS-based communication is known among threat actors, its usage is relatively rare. The backdoor uses a DNS tunneling technique to receive commands from the attacker and execute them on the compromised machine. It likely entered the system via a vulnerability in PHP (CVE-2024-4577), which allowed remote code execution on systems running PHP on Windows.
Msupedge is installed as a dynamic link library (DLL) in specific system locations, such as wuplog.dll and wmiclnt.dll. It communicates with the C&C server using DNS tunneling, a method where DNS queries and responses carry command instructions. The DNS tunneling tool is based on the public dnscat2 code, and the backdoor changes its behavior based on the third octet of the resolved IP address. This octet is processed, and the result determines the next actions, such as creating processes, downloading files, or sleeping for a specified duration.
The backdoor supports a variety of commands, which it receives through DNS TXT records. Examples include creating processes, downloading files, or creating temporary files with unclear purposes. The commands are encoded in DNS queries, and execution results are sent back encoded in a fifth-level domain. Notably, Msupedge alters its actions depending on specific values derived from the resolved IP address, which triggers distinct behaviors like downloading files or setting sleep periods.