Hackers have exploited a recently patched PHP remote code execution vulnerability (CVE-2024-4577) to deploy a new backdoor malware called Msupedge on a university’s Windows systems in Taiwan. The attackers likely gained access to the compromised systems by exploiting the flaw, which was patched in June.
Msupedge is a notable backdoor that uses DNS traffic to communicate with its command-and-control (C&C) server. It leverages DNS tunneling, allowing data to be encapsulated within DNS queries and responses. The attackers can use Msupedge to execute various commands, including creating processes, downloading files, and managing temporary files.
Symantec’s Threat Hunter Team investigated the incident and believes that the attackers exploited the CVE-2024-4577 vulnerability to gain access to the compromised systems. This security flaw bypasses protections implemented by the PHP team for CVE-2012-1823, which was exploited in malware attacks years after its remediation.
The initial intrusion is believed to have occurred through the exploitation of a recently patched PHP vulnerability (CVE-2024-4577). Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, they have found no evidence allowing them to attribute this threat and the motive behind the attack remains unknown.
A day after the PHP maintainers released CVE-2024-4577 patches, WatchTowr Labs released proof-of-concept (PoC) exploit code. The same day, the Shadowserver Foundation reported observing exploitation attempts on their honeypots. Less than 48 hours after patches were released, the TellYouThePass ransomware gang started exploiting the vulnerability to deploy webshells and encrypt victims’ systems.
Note: This article aims to provide a concise and clear summary of the original text while maintaining all essential information.
Source: https://www.bleepingcomputer.com/news/security/hackers-use-php-exploit-to-backdoor-windows-systems-with-new-malware/