Cyber Security News

TellYouThePass Ransomware Actor Weaponizing PHP RCE Flaw, Patch Immediately

The notorious TellYouThePass ransomware gang exploits a critical remote code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads.

The flaw, tracked as CVE-2024-4577, allows unauthenticated attackers to execute arbitrary code on vulnerable PHP installations.

Imperva researchers discovered that the TellYouThePass ransomware operators began exploiting this high-severity PHP bug mere hours after a proof-of-concept (PoC) exploit was publicly released on June 10, 2024.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The threat actors target exposed PHP servers to gain initial access and move laterally through victims’ networks before encrypting files and demanding ransom payments.

Malicious HTML Application

“The rapid weaponization of CVE-2024-4577 by the TellYouThePass ransomware group underscores the critical need for organizations to patch their PHP deployments without delay,” warned the Imperva research team. “We expect other threat actors to quickly adopt this exploit as part of their attack chains.”

PHP developers have released security updates addressing the RCE vulnerability in versions 8.2.7, 8.1.19, and 7.4.33. System administrators are strongly urged to upgrade their PHP installations to the latest patched releases to mitigate the risk of compromise.

The TellYouThePass ransomware first emerged in late 2021. It exploited the infamous Log4Shell vulnerability to infect Windows and Linux systems.

In 2022, the malware was rewritten in the Go programming language, enabling the operators to more easily target multiple operating systems, including macOS.

More recently, in November 2023, TellYouThePass was observed exploiting a critical RCE flaw (CVE-2023-46604) in Apache ActiveMQ message broker servers to breach and encrypt victims’ data.

Arctic Wolf security researchers found evidence linking the TellYouThePass gang to HelloKitty ransomware attacks leveraging the same ActiveMQ vulnerability.

With this latest PHP exploitation campaign, the TellYouThePass ransomware actor continues to demonstrate its ability to incorporate newly disclosed vulnerabilities into its attack toolkit rapidly.

Organizations running PHP in their environments must prioritize patching CVE-2024-4577 to defend against these evolving ransomware threats.


URL: hxxp:/88.218.76[.]13/dd3.hta
C2 IP: 88.218.76[.]13
Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
Bitcoin Wallet address: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

7 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

11 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

14 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

15 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

16 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

17 hours ago