TellYouThePass Ransomware Group Exploits Critical PHP Flaw

A threat group is exploiting a critical, easily exploitable PHP bug for remote code execution (RCE) in living-off-the-land style ransomware attacks that target businesses and individuals running both Windows and Linux systems.

TellYouThePass is a ransomware group active since 2019 that attacks victims using known vulnerabilities, particularly those found within open source Web development languages, including the widely exploited Apache Log4j (CVE-2021-44228) and the Apache ActiveMQ Server RCE bug tracked as CVE-2023-46604, according to a blog post published this week by Imperva Threat Research.

Lately the group has been exploiting a critical RCE vulnerability found within the PHP scripting language discovered earlier this month and tracked as CVE-2024-4577. "We noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system," the researchers said.

Similar to Java, PHP is a commonly used language in Web development, making any flaws that affect it a broad attack surface for attackers. If the Log4j flaw is any indication, these types of vulnerabilities can set off a viral stream of attacks that can plague organizations and their respective security posture for years.

Critical Flaw With Public Exploit

CVE-2024-4577 is an argument-injection vulnerability that stems from errors in character-encoding conversions in PHP, particularly impacting the "Best Fit" feature on Windows systems. "It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers," according to analysis of the flaw by Beagle Security.

Researchers at watchTowr released a proof-of-concept (PoC) exploit script for CVE-2024-4577 on their GitHub page on June 7, demonstrating that the bug was not difficult to exploit.

Apparently TellYouThePass got the memo and has pounced on the flaw to execute arbitrary PHP code on the target system, according to Imperva. Specifically, the group is "leveraging the code to use the 'system' function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary," according to the post. Mshta.exe is a native Windows binary that can execute remote payloads; thus, the attack vector shows the group operating in a living-off-the-land style.

How TellYouThePass Attacks

First identified by security researchers in 2019, TellYouThePass and its ransomware has taken "various forms over the years," according to Imperva. Most recently, variants of the malware have taken the form of .NET samples delivered using HTML applications.

"The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript," according to the post. "The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime."

Further analysis of the executable reveals that the ransomware is a .NET variant that upon initial execution sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. "The callback masquerades as a request to retrieve CSS resources likely designed to evade detection," according to Imperva.

Once executed, the ransomware enumerates directories, kills processes, generates encryption keys, and encrypts files within each enumerated directory that has a defined file extension. Its final act is to publish a ReadMe message in the Web root directory that provides victims the info they need to respond to the attack.

Avoiding Compromise via CVE-2024-4577

The issue affects PHP versions 8.1. before 8.1.29; 8.2. before 8.2.20; and 8.3. before 8.3.8 when using Apache and PHP-CGI on Windows. PHP versions 8.1.29, 8.2.20 and 8.3.8 patch the flaw.

There are other ways that organizations can mitigate exploit of the PHP flaw as well as avoid ransomware attacks in general. Patching affected systems would be the first obvious mitigation of CVE-2024-4577; however, as seen with Log4j, sometimes it's difficult to update every system that is affected by a flaw in a Web scripting language.

One way to minimize exploitation of the flaw is to disable running PHP with CGI mode enabled, according to an analysis of the flaw posted online by DEVCORE. "Since PHP CGI is an outdated and problematic architecture, it's still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM," according to the post.

Some general best practices to avoid being compromised by ransomware include having strong awareness of all the various assets and applications present in an environment and patching any vulnerabilities affecting them, according to Imperva. Organizations also should use Web firewall technology that can stop attacks once they are discovered, as well as a reliable anti-virus program as a first line of defense against malware campaigns like TellYouThePass.