A significant PHP server vulnerability identified as CVE-2024-4577 was exploited to inject PacketCrypt Classic Cryptocurrency Miner.
This PHP CGI Argument Injection vulnerability allows an attacker to obtain remote code execution (RCE) on a vulnerable PHP version mostly running under Windows using Chinese and Japanese language locales.
The vulnerability was identified by Orange Tsai in June 2024. Watchtwr Labs followed up with a proof of concept exploit and a detailed blog article.
The vulnerability has seen several exploit attempts, indicating strong exploitability and quick adoption by threat actors.
Command injection and several malware attacks, such as Gh0st RAT, RedTail cryptominers, and XMRig, have been exploited.
PacketCrypt Classic Cryptocurrency Miner On PHP Servers
According to senior consultant and researcher Yee Ching Tok research, web URL activity seems to exploit the PHP servers that are susceptible (such as the most recent CVE-2024-4577) or misconfigured PHP servers that allow unfettered public access to php-cgi.exe
First, dr0p.exe retrieved a secondary file pkt1.exe (e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562) from 23.27.51.244.
According to Shodan, the US-based IP address had four open ports (22, 80, 110, and 6664) and was running the EvilBit Block Explorer on port 80.
The file pkt1.exe additionally runs an executable packetcrypt.exe and includes a PacketCrypt (PKT Classic) wallet address (pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a) as one of its parameters.
Therefore, if you haven’t upgraded your PHP servers in a long time, this might serve as an informative reminder to system owners to patch and audit their web servers for vulnerabilities and unexpected performance problems brought on by crypto miners.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free