Hackers Exploit PHP Vulnerability in Windows To Execute Arbitrary Code Remotely

Cybersecurity researchers at Symantec no longer too long in the past known a brand new malware that exploits a PHP vulnerability(CVE-2024-4577) in the CGI argument injection flaw. This vulnerability impacts all variations of PHP save in on the Windows running system and in the kill executes arbitrary code remotely.

A Taiwanese university has been centered by a brand new beget of backdoor, Backdoor.Msupedge, which uses a technique that’s no longer many times old college but has already been reported in the past.

Cybersecurity consultants cite this malware’s distinctive feature—the usage of DNS traffic for checklist-and-management (C&C) server dialog—but they’ve infrequently seen it in the wild.

Even supposing other possibility actors beget previously deployed such DNS-essentially based totally mostly C&C tactics, this attack stands out in cybersecurity as a consequence of it’s absent.

Technical Diagnosis

Msupedge is a sophisticated DLL backdoor detected in the next paths: csidl_drive_fixedxamppwuplog.dll and csidl_systemwbemwmiclnt.dll.

This employs DNS tunneling by the usage of the dnscat2 tool to construct C&C dialog.

For memory allocation failure, decompressing instructions, checklist execution, and hostnames right throughout the queries despatched as error notifications are old college for checklist construction.

These are encoded as fifth-stage domains and then transmitted wait on.

Msupedge also uses ctl.msedeapi[.]catch as a checklist denoting the IP address of the C&C server by subtracting seven from the third octet, and this then serves as a switch case which modifies its habits accordingly.

On the one hand, Apache (httpd.exe) hundreds wuplog.dll, but wmiclnt.dll’s parent process is aloof unknown.

Msupedge has superior staunch into a multi-faceted skill that maintains hidden dialog channels and permits efficiency to be adjusted over time.

The Msupedge helps the next instructions:-

• Case 0x8a :  Own process. The checklist is gain by technique of DNS TXT file.
• Case 0x75 :  Internet file. The download URL is bought by technique of DNS TXT file.
• Case 0x24 :  Sleep (ip_4 * 86400 * 1000 ms).
• Case 0x66 :  Sleep (ip_4 * 3600 * 1000 ms).
• Case 0x38 :  Own %temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. The motive of this file is unknown.
• Case 0x3c:  Steal away %temp%1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.

The preliminary intrusion modified into accomplished by somebody exploiting the no longer too long in the past patched PHP vulnerability is called “CVE-2024-4577,” which impacts all variations of PHP save in on the Windows running system.

It is a vulnerability in CGI argument injection, permitting hackers to inject malicious arguments into PHP CGI scripts.

The a success exploitation of this sort of worm has the prospective to lead to a ways-off code execution that can perchance enable attackers to bustle any code on susceptible systems.

Besides this, Symantec has no longer too long in the past observed that assorted entities were scanning for systems with this flaw.

IoCs

• e08dc1c3987d17451a3e86c04ed322a9424582e2f2cb6352c892b7e0645eda43 – Backdoor.Msupedge
• f5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36 – Backdoor.Msupedge
• a89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480 – Internet shell