The recently patched critical PHP vulnerability has been actively exploited to deliver malware as part of the “TellYouThePass” ransomware campaign, Imperva’s Threat Research team reported.
Tracked as CVE-2024-4577, the flaw is an OS command injection issue that could allow remote command execution. The vulnerability stems from an incomplete fix for the CVE-2012-1823 bug.
First observed in 2019, “TellYouThePass” ransomware has targeted both businesses and individuals across Windows and Linux systems. The ransomware gang has a history of exploiting known vulnerabilities, such as CVE-2021-44228 (Apache Log4j) and CVE-2023-46604 (Apache ActiveMQ), to infiltrate systems and deploy its malicious payloads.
Imperva’s analysis identified several campaigns exploiting the CVE-2024-4577 vulnerability, including attempts to upload WebShells and deploy ransomware. A key component of the attack is the use of an HTA file (dd3.hta) containing a malicious VBScript. This VBScript holds a base64 encoded string that decodes into binary data, loaded into memory during runtime.
Upon execution, the malware sends an HTTP request to the command-and-control (C2) server with details about the infected machine, masked as a request to retrieve CSS resources. This technique likely aims to evade detection by blending malicious activity with legitimate traffic.
Imperva said that within hours of detecting the above described activity it tracked discussions about this ransomware across various online communities.
Earlier this week, Symantec reported that the cybercrime group known as Cardinal (aka Storm-1811, UNC4393), operators of the Black Basta ransomware, may have exploited a Windows privilege escalation vulnerability (CVE-2024-26169) patched in March 2024, as a zero-day.
