EXECUTIVE SUMMARY
A critical vulnerability in PHP servers, identified as CVE-2024-4577, has been exploited to deploy the PacketCrypt Classic cryptocurrency miner. This PHP CGI Argument Injection flaw enables remote code execution on affected PHP versions, particularly under specific locales on Windows systems. Exploitation of the vulnerability has led to malware campaigns involving tools such as Gh0st RAT and XMRig. Attackers have utilized compromised PHP servers to execute malicious files, including dr0p.exe, which retrieves and runs pkt1.exe to mine cryptocurrencies. The miner operates using a specified wallet address and exploits public access to php-cgi.exe on misconfigured or unpatched servers. Updating PHP servers promptly is essential to prevent exploitation of critical vulnerabilities. Regular audits can mitigate risks from cryptominers and other malicious activities.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1555 | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1496 | Resource Hijacking |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/php-servers-vulnerability-exploited/