Category: php

The most notable feature of this backdoor is that it communicates with a command-and-control server via DNS traffic… The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution… Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the backdoor will change based on the value of the third octet of the resolved IP address minus seven…

The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.
Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.

More from The Record:
Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools.
Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations. Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said.
Additional coverage at The Hacker News.

Thanks to Slashdot reader joshuark for sharing the article.