Critical PHP Flaw Exploited to Spread Cryptominers, Quasar RAT

Cybersecurity experts have observed a surge in exploitation of CVE-2024-4577, a critical vulnerability in PHP, to deploy cryptominers and remote access Trojans (RATs) such as Quasar RAT. This flaw stems from argument injection in PHP on Windows systems operating in CGI mode, enabling threat actors to execute arbitrary code remotely.

According to Bitdefender, attacks leveraging CVE-2024-4577 have escalated sharply since late last year, with Taiwan bearing the brunt (54.65% of all recorded attacks), followed by Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%). Approximately 15% of the recorded attacks involved basic vulnerability tests, such as executing whoami or echo <test_string>. Another 15% were dedicated to reconnaissance, including process enumeration, network analysis, user and domain information gathering, and system metadata extraction.

Around 5% of these attacks resulted in the deployment of XMRig, a widely used cryptocurrency miner that exploits the computational resources of infected machines. Additionally, Bitdefender identified a separate campaign where attackers installed Nicehash miners, disguising them as legitimate system processes, such as javawindows.exe, to evade detection.

Beyond cryptomining, this vulnerability has also been exploited to distribute remote access Trojans. Researchers detected instances of Quasar RAT deployment, as well as malicious MSI file execution via cmd.exe from remote servers.

A particularly intriguing discovery was the attempted modification of firewall settings on compromised servers to block access to known malicious IP addresses. This may indicate an ongoing rivalry among competing cryptojacking groups, each seeking to prevent reinfection of already compromised systems. Such tactics have previously been observed, where threat actors eliminate rival mining processes before deploying their own malware payloads.

Cisco Talos researchers recently reported a separate campaign in which this PHP vulnerability was exploited to target Japanese organizations. To mitigate these risks, users are strongly urged to update PHP to the latest version immediately. Security experts also recommend restricting the use of built-in Windows tools, such as PowerShell, by limiting execution privileges exclusively to administrators.