A newly discovered malware, named Msupedge, has been deployed on Windows systems at a university in Taiwan, exploiting a recently patched PHP vulnerability. The attackers gained access through the CVE-2024-4577 vulnerability, a critical flaw that allows for remote code execution on Windows systems running PHP in CGI mode.
Understanding CVE-2024-4577
CVE-2024-4577, identified as a critical PHP-CGI argument injection flaw, was patched in June 2024. This vulnerability affects PHP installations on Windows systems with PHP configured in CGI mode. If exploited, it enables unauthenticated attackers to execute arbitrary code, leading to a full system compromise.
Msupedge Malware: A Closer Look
The attackers deployed Msupedge by dropping two dynamic link libraries, weblog.dll and wmiclnt.dll, on the compromised systems. The malware was loaded via the httpd.exe Apache process, making it particularly insidious.
One of the most notable aspects of Msupedge is its use of DNS traffic for communication with its command-and-control (C&C) server. While DNS tunneling as a method for data exfiltration and communication has been observed before, its use in the wild remains relatively uncommon. Msupedge employs DNS tunneling, likely leveraging the open-source dnscat2 tool, to encapsulate data within DNS queries and responses. This technique allows it to receive commands from its C&C server discreetly.
The backdoor supports a range of commands, which are triggered by specific patterns in the resolved IP address of the C&C server. These commands include creating processes, downloading files, and managing temporary files, providing the attackers with extensive control over the compromised systems.
The Exploitation of PHP RCE Flaw
Symantec's Threat Hunter Team, which investigated this incident, attributes the initial compromise to the exploitation of CVE-2024-4577. This vulnerability bypasses previous protections implemented by the PHP team, including those for the older CVE-2012-1823 flaw. Notably, the CVE-2012-1823 vulnerability was exploited years after its patching in attacks against Linux and Windows servers by malware such as RubyMiner.
Symantec's team noted, "The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). We have observed multiple threat actors scanning for vulnerable systems in recent weeks. However, we have not yet identified the group responsible for this attack, and the motive remains unclear."
Widespread Exploitation and Immediate Action
The security landscape around CVE-2024-4577 evolved rapidly. Just one day after the PHP team released patches, WatchTowr Labs published proof-of-concept (PoC) exploit code. On the same day, the Shadowserver Foundation reported exploitation attempts in their honeypots. Within 48 hours, the TellYouThePass ransomware gang began using the vulnerability to deploy webshells and encrypt victims' systems.
This swift escalation highlights the critical importance of promptly applying security patches to mitigate the risks posed by newly discovered vulnerabilities. Organisations using PHP on Windows systems are urged to ensure their systems are fully patched to avoid falling victim to similar attacks.
To Sum Up
The Msupedge malware incident underscores the dangers of delayed patching and the innovative techniques attackers use to compromise systems. As threat actors continue to evolve their tactics, staying vigilant and proactive in applying security updates is more crucial than ever.
