The notorious TellYouThePass ransomware gang exploits a critical remote code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads.
The flaw, tracked as CVE-2024-4577, allows unauthenticated attackers to execute arbitrary code on vulnerable PHP installations.
Imperva researchers discovered that the TellYouThePass ransomware operators began exploiting this high-severity PHP bug mere hours after a proof-of-concept (PoC) exploit was publicly released on June 10, 2024.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
The threat actors target exposed PHP servers to gain initial access and move laterally through victims’ networks before encrypting files and demanding ransom payments.
“The rapid weaponization of CVE-2024-4577 by the TellYouThePass ransomware group underscores the critical need for organizations to patch their PHP deployments without delay,” warned the Imperva research team. “We expect other threat actors to quickly adopt this exploit as part of their attack chains.”
PHP developers have released security updates addressing the RCE vulnerability in versions 8.2.7, 8.1.19, and 7.4.33. System administrators are strongly urged to upgrade their PHP installations to the latest patched releases to mitigate the risk of compromise.
The TellYouThePass ransomware first emerged in late 2021. It exploited the infamous Log4Shell vulnerability to infect Windows and Linux systems.
In 2022, the malware was rewritten in the Go programming language, enabling the operators to more easily target multiple operating systems, including macOS.
More recently, in November 2023, TellYouThePass was observed exploiting a critical RCE flaw (CVE-2023-46604) in Apache ActiveMQ message broker servers to breach and encrypt victims’ data.
Arctic Wolf security researchers found evidence linking the TellYouThePass gang to HelloKitty ransomware attacks leveraging the same ActiveMQ vulnerability.
With this latest PHP exploitation campaign, the TellYouThePass ransomware actor continues to demonstrate its ability to incorporate newly disclosed vulnerabilities into its attack toolkit rapidly.
Organizations running PHP in their environments must prioritize patching CVE-2024-4577 to defend against these evolving ransomware threats.
IoCs
URL: hxxp:/88.218.76[.]13/dd3.hta
C2 IP: 88.218.76[.]13
Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
Bitcoin Wallet address: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo
.webp "Hacker’s Price List for Hijacking Server & Whatsapp Exposed")
.webp "Beware of New Krampus Loader That Getting Popular in Dark Web"){kind=small}
%20(1).webp "Critical Docker Vulnerability Lets Hacker Bypass Authentication"){kind=small}