A ransomware gang known as TellYouThePass has swiftly exploited a critical vulnerability in Windows installations of the PHP web scripting language. This vulnerability, tracked as CVE-2024-4577, was targeted by the group just hours after researchers released a proof-of-concept script.
Imperva Threat Research reported on Monday that the TellYouThePass operators began exploiting the PHP bug almost immediately. The gang, active since 2019, is known for seizing opportunities in widespread cyber incidents, much like they did with the 2021 Log4Shell vulnerability. Chinese network security firm Snagfor had previously spotted the group in March.
Also read: PHP vulnerability exposes Windows servers to remote attacks
Imperva’s researchers observed multiple hacking attempts against Windows PHP systems, including webshell uploads and ransomware deployment efforts. Attackers utilized the PHP flaw to execute arbitrary code by leveraging the PHP system function to run an HTML application file hosted on a hacker-controlled server. They employed mshta.exe, a native Windows binary, to execute remote payloads, a tactic known as “living off the land.”
The initial infection vector involved an HTML application named dd3.hta, containing a malicious VBScript. This VBScript included a base64 encoded string, which, when decoded, revealed binary bytes loaded into memory during runtime.
The decoded bytes revealed a serialized method that loaded a Portable Executable file into memory—a .NET variant of the TellYouThePass ransomware. Upon execution, the file sent an HTTP request to a command-and-control server with details about the infected machine. This request was disguised as a request to retrieve CSS resources, likely to avoid detection.
The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute the encryptor payload on target systems.https://t.co/ULyUZhcY4d#rhymtech #thinkcyberthinkrhym #rhymcyberupdates
— Rhym Technologies (@Rhym_Tech) June 12, 2024
The command-and-control IP was hardcoded in the malware sample studied by Imperva. The attack concluded with a ReadMe message placed in the web root directory, providing ransom payment instructions.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
