13 June 2024

TellYouThePass ransomware weaponizes recently patched PHP flaw


TellYouThePass ransomware weaponizes recently patched PHP flaw

The recently patched critical PHP vulnerability has been actively exploited to deliver malware as part of the “TellYouThePass” ransomware campaign, Imperva’s Threat Research team reported.

Tracked as CVE-2024-4577, the flaw is an OS command injection issue that could allow remote command execution. The vulnerability stems from an incomplete fix for the CVE-2012-1823 bug.

First observed in 2019, “TellYouThePass” ransomware has targeted both businesses and individuals across Windows and Linux systems. The ransomware gang has a history of exploiting known vulnerabilities, such as CVE-2021-44228 (Apache Log4j) and CVE-2023-46604 (Apache ActiveMQ), to infiltrate systems and deploy its malicious payloads.

Imperva’s analysis identified several campaigns exploiting the CVE-2024-4577 vulnerability, including attempts to upload WebShells and deploy ransomware. A key component of the attack is the use of an HTA file (dd3.hta) containing a malicious VBScript. This VBScript holds a base64 encoded string that decodes into binary data, loaded into memory during runtime.

Upon execution, the malware sends an HTTP request to the command-and-control (C2) server with details about the infected machine, masked as a request to retrieve CSS resources. This technique likely aims to evade detection by blending malicious activity with legitimate traffic.

Imperva said that within hours of detecting the above described activity it tracked discussions about this ransomware across various online communities.

Earlier this week, Symantec reported that the cybercrime group known as Cardinal (aka Storm-1811, UNC4393), operators of the Black Basta ransomware, may have exploited a Windows privilege escalation vulnerability (CVE-2024-26169) patched in March 2024, as a zero-day.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024