Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

June 11, 2024, 10:31 a.m.

Description

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon execution, the ransomware contacts a command-and-control server, enumerates directories, terminates processes, encrypts files, and leaves a ransom note.

External References

https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware
https://otx.alienvault.com/pulse/666823317d16a2e82515f9ca
Tags
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection

Date

  • Created: June 11, 2024, 10:13 a.m.
  • Published: June 11, 2024, 10:13 a.m.
  • Modified: June 11, 2024, 10:31 a.m.

Indicators

  • 9562ad2c173b107a2baa7a4986825b52e881a935deb4356bf8b80b1ec6d41c53
  • 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
  • 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
  • bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l
  • 88.218.76.13
Download all indicators here!

Attack Patterns

  • TellYouThePass
  • T1567.002
  • T1059.005
  • T1059.003
  • T1059.001
  • T1547.001
  • T1497
  • T1204.002
  • T1489
  • T1486
  • T1083
  • T1027

Linked vulnerabilities

CVE-2021-44228

None
Published:

CVE-2023-22524

None
Published:

CVE-2023-46604

None
Published:

CVE-2024-3577

None
Published:

CVE-2024-4577

9.8
    PHP
Published: June 9, 2024