"The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team reported.
"It receives commands by performing name resolution," Symantec noted. Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server as a command.
The initial access vector that likely facilitated the deployment of Msupedge is said to involve exploitation of a critical flaw impacting PHP (CVE-2024-4577, CVSS score: 9.8).
The commands supported by Msupedge include the ability to create a process or download files using commands received via DNS TXT records.
[
Collection
]
[
|
...
]