Hackers Exploiting PHP Vulnerability To Launch DDoS Attacks

Attackers are exploiting vulnerabilities much faster after disclosure, with an average exploitation time of 4 days, and also targeting even older vulnerabilities. 

A recent critical vulnerability in PHP versions 8.1.*, 8.2.*, and 8.3.* allows attackers to achieve remote code execution (RCE) due to how PHP and CGI handlers parse Unicode characters.

CVE-2024-4577 vulnerability in PHP allows attackers to achieve Remote Code Execution (RCE) by injecting malicious PHP code through specially crafted requests and leveraging the php://input stream to embed code within the request body. 

By abusing the auto_prepend_file configuration option, attackers can ensure their injected code runs before any legitimate scripts, and enabling allow_url_include allows attackers to fetch and execute code from remote locations, further increasing the exploit’s potential impact. 

Malicious and benign invocation of php.exe

A vulnerability (CVE-2024-4577) exists in PHP versions running on Windows in CGI mode with specific language settings, allowing attackers to inject commands due to how Unicode characters are misinterpreted during processing.  

Normally, user input would be sanitized before being passed to the PHP interpreter, but the attacker can utilize a “soft hyphen,” which is indistinguishable from a normal hyphen to human eyes but interpreted differently by the system. 

It allows the attacker to bypass standard filtering and inject malicious code into the PHP process for unauthorized remote code execution (RCE). 

 Breakdown of malicious and benign invocations of php.exe

Within 24 hours of a recently disclosed PHP flaw, attackers leveraged it in an exploit attempt using Gh0st RAT malware (a UPX-packed Windows executable) by sending a POST request with malicious data to the URI ‘/cgi-bin/php-cgi.exe’. 

When executed in a sandbox, the malware dropped another UPX-packed executable (‘Iqgqosc.exe’), performed system reconnaissance, and communicated with a Germany-based command and control server (146.19.100.7:8001). 

The IP address used for malware delivery (147.50.253.109) was linked to ‘BangCloud’ in Thailand and associated with malicious activity.

Gh0st RAT malware sample MITRE ATT&CK TTPs

RedTail cryptominer exploits CVE-2024-4577 vulnerability by sending a malicious request to a web server, which abuses a soft hyphen flaw to execute a script that downloads the RedTail miner from a Russia-based IP. 

The downloaded script searches for writable directories on the victim’s system and then retrieves and executes the miner binary based on the system architecture, as the script includes architectures irrelevant to Windows, suggesting generic script reuse by attackers. 

RedTail cryptomining shell script

According to Akamai, the attackers exploited a vulnerability in web servers to deploy different malware. One campaign used a shell script to download Muhstik malware, identified by the specific filename “pty3” and directories it creates. 

Another campaign used a base64 encoded PowerShell script to download and run a miner script (likely XMRig) from a remote location for cryptocurrency mining. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here