Hackers are actively exploiting PHP RCE vulnerability (CVE-2024-4577)

PHP RCE vulnerability

A critical vulnerability in PHP, designated CVE-2024-4577, has become a prime target for cybercriminals within a day of its public disclosure in June 2024. The Akamai Security Intelligence Response Team (SIRT) has observed a surge in malicious activity leveraging this flaw, which enables remote code execution (RCE) on vulnerable PHP installations.

This vulnerability affects PHP versions 8.1., before 8.1.29, 8.2. before 8.2.20, and 8.3.* before 8.3.8, specifically when running in CGI mode. Attackers have swiftly weaponized the flaw, deploying a diverse range of malware, including:

  • Gh0st RAT Malware

One of the earliest observed exploits involved the Gh0st RAT malware, a well-known remote access tool. Within a day of the CVE’s disclosure, Gh0st RAT attacks were detected. The malware, packed with UPX, drops an additional executable named “Iqgqosc.exe,” which enumerates connected drives and peripherals and queries the registry. It then renames itself to a long, seemingly random filename to avoid detection and communicates with a command and control (C2) server based in Germany.

  • RedTail Cryptominer

Another campaign observed involved the RedTail cryptomining malware. Attackers exploited the vulnerability by sending requests that utilized the Unicode flaw to execute a wget request for a shell script. This script, hosted on a Russia-based IP address, downloads and executes the RedTail cryptominer. The script is designed to identify writable directories and download the payload, renaming it to “.redtail.”

  • Muhstik Malware

The Muhstik malware was also seen leveraging CVE-2024-4577. A shell script downloaded an ELF file named “pty3,” indicative of the Muhstik malware, which targets IoT and Linux servers for cryptomining and DDoS attacks. The malware creates directories such as “/var/run/pty3” and communicates with a C2 domain recently linked to other Muhstik campaigns.

  • XMRig

A fourth campaign involved the XMRig cryptominer. The exploit used PowerShell to download and execute a script that deploys XMRig from a remote mining pool. The script then cleans up temporary files to obfuscate the attack, making detection more difficult.

The rapid and widespread exploitation of CVE-2024-4577 underscores the critical need for immediate patching of affected PHP installations. Organizations that fail to update their systems promptly face significant risks, including data breaches, unauthorized access, system compromise, and potential ransomware attacks.