CVE-2024-4577: PHP RCE Vulnerability Exploited for Malware Delivery

A recently discovered vulnerability in PHP has become the target of several cybercriminals who are exploiting it to deliver remote access trojans, cryptocurrency miners, and DDoS botnets.

The RCE vulnerability CVE-2024-4577, rated 9.8 on the CVSS scale, allows attackers to remotely execute malicious commands on Windows systems with Chinese and Japanese localizations. This issue first came to light in early June 2024.

Researchers from Akamai noted in their recent report that this vulnerability allows attackers to bypass the command line and pass arguments directly interpreted by PHP. The problem lies in the conversion of Unicode characters to ASCII.

Experts reported that exploitation attempts of this vulnerability were observed on their honeypot servers within 24 hours of public disclosure. Among the detected attacks were the delivery of the Gh0st RAT remote access trojan, RedTail and XMRig cryptocurrency miners, and a DDoS botnet named Muhstik.

Akamai specialists also explained that the attacker sent a request similar to previously observed RedTail operations, using the soft hyphen flaw to execute a wget command that downloaded a shell script. This script then made an additional network request to obtain the x86 version of the RedTail cryptocurrency miner.

Last month, Imperva also reported that the CVE-2024-4577 vulnerability was being used by attackers to spread the TellYouThePass ransomware in the form of a .NET-based encryptor. Users and organizations employing PHP are advised to update their installations to the latest version to protect against active threats.

Researchers specifically noted that the shrinking window of time defenders have after the disclosure of new vulnerabilities poses a serious security threat. This is particularly pertinent for this PHP vulnerability due to its high exploitability and rapid adoption by cybercriminals.