Researchers observed a URL attempts to exploit a server-side vulnerability by executing multiple commands through PHP’s system() function.
It downloads a malicious executable from a remote server, executes it locally, and attempts to download the same executable using wget while bypassing SSL certificate verification.
It exploits a vulnerability in a web server running a PHP CGI script and leverages a command injection flaw to download a malicious executable named “dr0p.exe” from a remote server.
The code attempts to download the executable using curl first and then falls back to wget if curl fails, while the downloaded executable is then executed locally on the server.
The executable, likely a downloader, was recently submitted to VirusTotal, where a quick search revealed its SHA256 hash, which can be used to identify and potentially block the malware based on its unique digital fingerprint.
Reverse engineering of dr0p.exe revealed it downloads pkt1.exe from a US-based server (23.27.51.244) hosting the EvilBit Block Explorer on port 80, and the server also exposes ports 22, 110, and 6664.
The analysis reveals that the malware pkt1.exe launches packetcrypt.exe, likely a cryptocurrency miner, while supplying a PKT Classic wallet address (“pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a”) as an argument.
While PKTC blockchain Explorer indicates that this wallet has accumulated approximately 5 PKTC, valued at roughly 0.0021785 USDT based on current market prices.
The web URL activity likely targets vulnerable PHP servers by potentially exploiting CVE-2024-4577 or misconfigurations that allow public access to php-cgi.exe.
This highlights the critical need for regular security patching and auditing of web servers to mitigate vulnerabilities and prevent performance issues caused by threats like crypto miners.
SANS investigation revealed that the cryptocurrency mined on compromised PHP servers was PKTC, a legacy proof-of-work coin from the PacketCrypt project.
The current PacketCrypt project utilizes a Stake-to-Earn model and issues a different cryptocurrency, also named PKT.
The incident involves the malicious IP address 23.27.51.244 distributing the malware pkt1.exe (SHA256: e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562), which likely drops dr0p.exe (SHA256: d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36) and packetcrypt.exe (SHA256: 717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397).
The attack may be linked to the cryptocurrency wallet address PKTC Wallet Address: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free