Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT.
The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.
Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).
About 15% of the detected exploitation attempts involve basic vulnerability checks using commands like “whoami” and “echo <test_string>.” Another 15% revolve around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata gathering.
Martin Zugec, technical solutions director at Bitdefender, noted that at least roughly 5% of the detected attacks culminated in the deployment of the XMRig cryptocurrency miner.
“Another smaller campaign involved the deployment of Nicehash miners, a platform that allows users to sell computing power for cryptocurrency,” Zugec added. “The miner process was disguised as a legitimate application, such as javawindows.exe, to evade detection.”
Other attacks have been found to weaponize the shortcoming of delivering remote access tools like the open-source Quasar RAT, as well as execute malicious Windows installer (MSI) files hosted on remote servers using cmd.exe.
In perhaps something of a curious twist, the Romanian company said it also observed attempts to modify firewall configurations on vulnerable servers with an aim to block access to known malicious IPs associated with the exploit.
This unusual behavior has raised the possibility that rival cryptojacking groups are competing for control over susceptible resources and preventing them from targeting those under their control a second time. It’s also consistent with historical observations about how cryptjacking attacks are known to terminate rival miner processes prior to deploying their own payloads.
The development comes shortly after Cisco Talos revealed details of a campaign weaponizing the PHP flaw in attacks targeting Japanese organizations since the start of the year.
Users are advised to update their PHP installations to the latest version to safeguard against potential threats.
“Since most campaigns have been using LOTL tools, organizations should consider limiting the use of tools such as PowerShell within the environment to only privileged users such as administrators,” Zugec said.
