Hackers Attack ThinkPHP By Injecting Payload From Remote Servers

Threat actors are constantly evolving their TTPs and developing new malicious tools to execute their activities.

Recently, Akamai researchers have noted a concerning trend of attackers exploiting known vulnerabilities, such as the years-old ThinkPHP RCE CVE-2018-20062 and CVE-2019-9082. 


Initially detected in October 2023 with limited probes, a much larger campaign resurged in April 2024, exploiting these vulnerabilities to install remote shells.

Hackers Attack ThinkPHP

The CVE exploits try to download “public.txt” from a Chinese server that is most likely compromised.

The file is malicious, named “roeter.php,” which, when saved on victims, opens an obfuscated web shell backdoor that is password-protected with the word “admin.”

Most of the originating from Zenlayer cloud IP addresses are based in Hong Kong.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The server hosting the backdoor itself was infected; this may have been a way for the attacker to cut costs and hide the recognition by authorities.

The web shell is used for navigating, editing, and deleting files, as well as modifying time stamps in an operating system’s file system.

It is worth pointing out that this one has a Chinese interface instead of an English interface, as most shells do. 

It is called “Dama” and it not only uploads files but also collects system information useful to exploit detection, performs port scans, grants access to databases, and provides privileged escalation options such as disabling PHP constraints, and scheduling tasks to add high-privileged users or wmi.

Advanced Dama web shell capabilities (Source – Akamai)

However, surprisingly it does not contain command-line interface support for direct OS shell commands, unlike its wide range of other functionalities.

It is highly recommended that ThinkPHP be upgraded to the latest version 8.0. Researchers said that recent attacks have used a sophisticated Chinese web shell, “Dama,” for advanced victim control, but it strangely lacks CLI support.

Some customers were attacked even though they didn’t use ThinkPHP, implying indiscriminate targeting. This consequently indicates the persistent challenge of detecting vulnerabilities and patching them.

Possible aims of an attacker include botnet recruitment, ransomware attack, extortion or acquiring intelligence, and lateral movement.

As offensive technology advances, there is a growing sophistication gap between the tools and their users.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.