Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

Ransomware Gang TellYouThePass Exploits PHP Vulnerability

Flaw Allows Unauthenticated Attackers to Execute Arbitrary Code
Ransomware Gang TellYouThePass Exploits PHP Vulnerability
The TellYouThePass ransomware group was quick to exploit a critical flaw in PHP. (Image: Shutterstock)

A ransomware operation with a history of exploiting widespread internet vulnerabilities lost little time in making use of a critical-severity vulnerability in Window installations of web-scripting language PHP.

See Also: The Cost of Underpreparedness to Your Business

Imperva Threat Research in a Monday report said TellYouThePass ransomware operators began exploiting the PHP bug, tracked as CVE-2024-4577, hours after researchers released a proof of concept script (see: Critical PHP Vulnerability Threatens Windows Servers).

The TellYouThePass ransomware group, active since 2019, sees opportunity in cyber incidents that have system administrators globally scrambling to patch systems. It was among the cybercriminal groups to jump on the 2021 vulnerability known as Log4Shell. Security researchers say it has a history of appearing in new forms. Chinese network security firm Sangfor spotted it in March.

Imperva researchers said Monday they observed multiple hacking attempts against Windows PHP systems involving web shell uploads and efforts to deploy ransomware.

Attackers use the PHP flaw to execute arbitrary PP code by using the PHP system function to run an HTML application file hosted on a hacker-controlled web server. The attackers use mshta.exe to launch the attack - mshta.exe is a "native Windows binary that can execute remote payloads, pointing to the attackers operating in a 'living off the land' style," said Imperva researchers.

The initial infection involves an HTML application named dd3.hta that contains a malicious VBScript. This VBScript includes a base64 encoded string that, when decoded, reveals bytes of a binary loaded into memory during runtime.

The extracted bytes reveal a serialized method, which loads a Portable Executable file into memory during runtime - a .NET variant of the TellYouThePass ransomware. Once executed, the file sends an HTTP request to the command-and-control server, which contains details about the infected machine. The callback masquerades as a request to retrieve CSS resources, likely to evade detection.

The command-and-control IP was hard-coded in the sample Imperva studied. The malware concludes by publishing a ReadMe message in the web root directory, which provides details necessary for a ransom payment.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.