TellYouThePass Ransomware Actor Weaponizing PHP RCE Flaw, Patch Immediately

The notorious TellYouThePass ransomware gang exploits a serious distant code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads.

The flaw, tracked as CVE-2024-4577, enables unauthenticated attackers to create arbitrary code on susceptible PHP installations.

Imperva researchers realized that the TellYouThePass ransomware operators started exploiting this excessive-severity PHP worm mere hours after a proof-of-belief (PoC) exploit became once publicly released on June 10, 2024.

The possibility actors target exposed PHP servers to create preliminary access and crawl laterally by scheme of victims’ networks earlier than encrypting data and disturbing ransom funds.

“The like a flash weaponization of CVE-2024-4577 by the TellYouThePass ransomware group underscores the serious need for organizations to patch their PHP deployments straight away,” warned the Imperva be taught crew. “We ask other possibility actors to fleet undertake this exploit as portion of their attack chains.”

PHP builders have released safety updates addressing the RCE vulnerability in versions 8.2.7, 8.1.19, and 7.4.33. Arrangement administrators are strongly entreated to upgrade their PHP installations to the most up-to-date patched releases to mitigate the possibility of compromise.

The TellYouThePass ransomware first emerged in dull 2021. It exploited the unsuitable Log4Shell vulnerability to contaminate Home windows and Linux techniques.

In 2022, the malware became once rewritten in the Race programming language, enabling the operators to more without complications target more than one working techniques, alongside side macOS.

More currently, in November 2023, TellYouThePass became once noticed exploiting a serious RCE flaw (CVE-2023-46604) in Apache ActiveMQ message dealer servers to breach and encrypt victims’ records.

Arctic Wolf safety researchers realized proof linking the TellYouThePass gang to HelloKitty ransomware attacks leveraging the same ActiveMQ vulnerability.

With this most up-to-date PHP exploitation advertising and marketing and marketing campaign, the TellYouThePass ransomware actor continues to display its ability to consist of newly disclosed vulnerabilities into its attack toolkit rapidly.

Organizations running PHP in their environments have to prioritize patching CVE-2024-4577 to shield in opposition to those evolving ransomware threats.

IoCs

URL: hxxp:/88.218.76[.]13/dd3.hta
C2 IP: 88.218.76[.]13
Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
Bitcoin Wallet cope with: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l