Back

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

June 11, 2024, 10:31 a.m.

Tags

exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection

External References

https://www.imperva.com/

https://otx.alienvault.com/

Description

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon execution, the ransomware contacts a command-and-control server, enumerates directories, terminates processes, encrypts files, and leaves a ransom note.

Date

Published Created Modified
June 11, 2024, 10:13 a.m. June 11, 2024, 10:13 a.m. June 11, 2024, 10:31 a.m.

Indicators

9562ad2c173b107a2baa7a4986825b52e881a935deb4356bf8b80b1ec6d41c53

5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618

95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3

bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l

88.218.76.13

Attack Patterns

TellYouThePass

T1567.002

T1059.005

T1059.003

T1059.001

T1547.001

T1497

T1204.002

T1489

T1486

T1083

T1027

CVE-2024-3577

CVE-2023-22524

CVE-2024-4577

CVE-2023-46604

CVE-2021-44228