PacketCrypt Classic Cryptocurrency Miner on PHP Servers
Jan. 7, 2025, 4:36 p.m.
Tags
External References
Description
A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetcrypt.exe to mine PacketCrypt Classic (PKTC) cryptocurrency. The mined coins are sent to a specific wallet address. The attack chain involves multiple stages and uses various techniques to ensure successful execution. Server administrators are advised to patch and audit their web servers to prevent such attacks and mitigate potential performance issues caused by unauthorized crypto mining activities.
Date
Published: Jan. 7, 2025, 2:23 p.m.
Created: Jan. 7, 2025, 2:23 p.m.
Modified: Jan. 7, 2025, 4:36 p.m.
Indicators
e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562
d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36
717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397
23.27.51.244
www.pkt.world
crypto.pkt.cash
Attack Patterns
T1588.001
T1569.002
T1102.002
T1573.001
T1571
T1059.004
T1071.001
T1105
T1496