Hackers Exploit PHP Vulnerability to Deploy Backdoor on Windows

TapTechNews August 21st news, the tech media bleepingcomputer reported yesterday (August 20th) that there are hackers using the recently patched PHP remote code execution vulnerability (CVE-2024-4577) to deploy a backdoor named Msupedge on Windows systems.

CVE-2024-4577

TapTechNews reported in June and July this year that there is a remote code execution (RCE) vulnerability in the PHP for Windows installation package, affecting all versions since version 5.x and may have an impact on a large number of servers worldwide.

The official has released a patch to fix this vulnerability in June. Unauthenticated attackers can execute arbitrary code using this vulnerability and can completely crash the system after successful exploitation.

Msupedge backdoor

Attackers have created and deployed two dynamic link library files, weblog.dll (loaded by the Apache process httpd.exe) and wmiclnt.dll, and use DNS traffic to communicate with the Command and Control (C&C) server.

This vulnerability utilizes a DNS tunnel (a function implemented based on the open-source dnscat2 tool) to encapsulate data in DNS queries and responses to receive commands from its C&C server.

Attackers can use Msupedge to execute various commands, which are triggered by the third octet of the IP address parsed by the C&C server. This backdoor also supports multiple commands, including creating processes, downloading files, and managing temporary files.

The Symantec ThreatHunterTeam team has conducted in-depth investigations into this vulnerability and believes that the attackers invaded the system using the CVE-2024-4577 vulnerability.

This security vulnerability bypasses the protection measures implemented by the PHP team for CVE-2012-1823, and CVE-2012-1823 has been exploited by malware attacks after being repaired for many years, using the RubyMiner malware to attack Linux and Windows servers.