This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

🔊 Web Growth Summit is here! Learn from industry experts on July 17-18, 2024. REGISTER NOW→

Ransomware Gang TellYouThePass Exploits PHP Vulnerability

Updated on June 12, 2024

2 Min Read
Ransomware Gang TellYouThePass Exploits PHP Vulnerability


A ransomware gang known as TellYouThePass has swiftly exploited a critical vulnerability in Windows installations of the PHP web scripting language. This vulnerability, tracked as CVE-2024-4577, was targeted by the group just hours after researchers released a proof-of-concept script.

via GIPHY

Imperva Threat Research reported on Monday that the TellYouThePass operators began exploiting the PHP bug almost immediately. The gang, active since 2019, is known for seizing opportunities in widespread cyber incidents, much like they did with the 2021 Log4Shell vulnerability. Chinese network security firm Snagfor had previously spotted the group in March.

Also read: PHP vulnerability exposes Windows servers to remote attacks

Imperva’s researchers observed multiple hacking attempts against Windows PHP systems, including webshell uploads and ransomware deployment efforts. Attackers utilized the PHP flaw to execute arbitrary code by leveraging the PHP system function to run an HTML application file hosted on a hacker-controlled server. They employed mshta.exe, a native Windows binary, to execute remote payloads, a tactic known as “living off the land.”

via GIPHY

The initial infection vector involved an HTML application named dd3.hta, containing a malicious VBScript. This VBScript included a base64 encoded string, which, when decoded, revealed binary bytes loaded into memory during runtime.

The decoded bytes revealed a serialized method that loaded a Portable Executable file into memory—a .NET variant of the TellYouThePass ransomware. Upon execution, the file sent an HTTP request to a command-and-control server with details about the infected machine. This request was disguised as a request to retrieve CSS resources, likely to avoid detection.

The command-and-control IP was hardcoded in the malware sample studied by Imperva. The attack concluded with a ReadMe message placed in the web root directory, providing ransom payment instructions.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour

CYBER WEEK SAVINGS

  • 0

    Days

  • 0

    Hours

  • 0

    Mints

  • 0

    Sec

GET OFFER

For 4 Months &
40 Free Migrations

For 4 Months &
40 Free Migrations

Upgrade Now