PHP Vulnerability CVE-2024-4577 Weaponized To Distribute TellYouThePass Ransomware

"Researchers have identified threat actors exploiting a PHP vulnerability (CVE-2024-4577) to spread TellYouThePass ransomware variants. The attackers utilize this exploit to run arbitrary PHP code leveraging the ""system"" function to execute an HTML application file hosted on their server via the mshta.exe binary which can execute remote payloads on Windows systems. This approach reflects a ""living off the land"" technique. TellYouThePass ransomware active since 2019 has evolved and now often appears as .NET samples delivered through HTML applications. The initial infection uses an HTA file containing malicious VBScript with a base64 encoded binary loaded into memory during runtime. Upon execution the malware sends an HTTP request to its command-and-control (C2) server disguised as a CSS resource request to avoid detection. The malware then enumerates directories kills processes generates encryption keys and encrypts files with specific extensions. Finally it places a ReadMe message in the web root directory to inform victims."