Resources
  • Research
  • Intelligence Blogs
TellYouThePass: Ransomware Attacks Exploits Critical PHP RCE Vulnerability
2024.08.01

🔐 TellYouThePass: Ransomware Attacks Exploits Critical PHP RCE Vulnerability

S2W Threat Intelligence Center TALON has published a report on the TellYouThePass ransomware exploiting a PHP vulnerability.

This advanced report goes beyond simple malware analysis, providing insights into tracking associated virtual assets.

📌 Ransomware

TellYouThePass, a ransomware group that first appeared in March 2019, has been attacking vulnerable servers using publicly available RCE exploits such as Windows SMB EternalBlue, Log4j vulnerabilities, Confluence Server vulnerabilities, and Apache MQ vulnerabilities.

-TellYouThePass does not operate a data leak site and has the characteristic of negotiating with victim companies and providing decryption keys only through the email written in the ransom note.

-As of June 8, 2024, many cases of TellYouThePass ransomware being distributed by exploiting the PHP RCE vulnerability (CVE-2024-4577) patched on 2024-06-06 have been confirmed.

📌 Vulnerability

CVE-2024-4577 is a CGI argument injection vulnerability that affects all versions of PHP installed on Windows OS, allowing arbitrary command execution.

-All versions of PHP prior to 8.3.8, 8.2.20, and 8.1.29 running in Windows environments with system locales set to Japanese, Simplified Chinese, and Traditional Chinese are affected by this vulnerability.

-In other environments, such as code page 949 (Korean), it has been confirmed that vulnerabilities caused by the %AD string do not occur. However, due to the diverse usage scenarios of PHP, it is difficult to verify all possible cases, making it challenging to be certain about the potential for exploitation.

📌Malware Analysis

The TellYouThePass ransomware group exploits the vulnerability to perform initial penetration and simultaneously downloads and executes a malicious script from the attacker's server.

-The malicious script drops the TellYouThePass ransomware loader, and the malware uses source code from open source tools BadPotato, EfsPotato, SweetPotato and BlindingEDR to escalate privileges and bypass AV/EDR detection.

-Finally, TellYouThePass ransomware is dropped and executed to encrypt files in the system.

📌Bitcoin Transaction

A total of 0.279 BTC (approximately $15,990) of ransom money was confirmed to have been transferred to the Bitcoin wallet address listed in the TellYouThePass ransom note, and is presumed to have been paid by the victim company.

-The ransom money sent to the TellYouThePass Bitcoin wallet is divided into certain proportions and sent to another wallet address, and then the full amount is transferred to the ChangeNOW exchange.

🧑‍💻 Report Author: S2W TALON

👉 Learn more: https://bit.ly/3ypLKef
*The Medium article is written in Korean, so please use a translation tool to read it.




List