New PHP Vulnerability Exploited for Malware Distribution and DDoS Attacks

New PHP Vulnerability Exploited for Malware Distribution and DDoS Attacks

Security experts at Akamai have warned that numerous threat actors are actively exploiting a recently discovered vulnerability in PHP to spread remote access trojans, cryptocurrency miners, and to launch DDoS attacks.

The RCE vulnerability, CVE-2024-4577 (scoring 9.8 on the CVSS scale), was disclosed in early June 2024. It allows attackers to remotely execute malicious commands on Windows systems. The issue is particularly severe when certain localizations are used, including Traditional Chinese, Simplified Chinese, and Japanese, which are more susceptible to this bug.

โ€œCVE-2024-4577 allows an attacker to escape the command line and pass arguments directly for interpretation by PHP,โ€ Akamai researchers explained. โ€œThe vulnerability is related to how Unicode characters are converted to ASCII.โ€

According to the experts, the first attempts to exploit this new bug were detected on their honeypot servers within 24 hours of the vulnerability becoming public knowledge.

Specifically, exploits were observed that aimed to distribute the Gh0st RAT remote access trojan, RedTail and XMRig cryptocurrency miners, as well as the Muhstik DDoS botnet.

โ€œAttackers sent requests similar to those seen in previous RedTail operations to execute a wget request for a shell script,โ€ the researchers noted. โ€œThis script makes an additional network request to the same IP address, located in Russia, to download the x86 version of the RedTail crypto-mining malware.โ€

Previously, experts from Imperva also warned about the exploitation of CVE-2024-4577. According to their data, the bug has been used by the TellYouThePass ransomware group to distribute a .NET variant of their ransomware.

Leave a Reply