Ransomware Strikes Fast: TellYouThePass Exploits PHP Bug Just 48 Hours After Patch

The TellYouThePass ransomware gang wasted no time exploiting the CVE-2024-4577 vulnerability in PHP, attacking less than 48 hours after patches were released. Researchers at Imperva revealed the gang uses the Windows mshta.exe binary to run a malicious HTML application, encrypting files and demanding ransom through “READ_ME10.html” notes.

3P
Published: June 11, 2024 2:32 pmAdded: June 11, 2024 at 7:41 amAssembled by: The Editor
Pro Dashboard

Hot Take:

PHP just got a patch, but it seems the TellYouThePass ransomware gang got the memo first. Less than 48 hours after the fix for CVE-2024-4577, they were already causing chaos. It’s like they had a calendar reminder set for “Exploit Day!”.

Key Points:

– TellYouThePass ransomware exploits CVE-2024-4577 in PHP to deploy webshells and ransomware payloads.
– Attacks began less than 48 hours after the security update was released.
– The ransomware uses Windows mshta.exe to execute a malicious HTA file containing VBScript.
– The exploit sends an HTTP request disguised as a CSS resource to a command-and-control server.
– Ransom notes demand 0.1 BTC (around $6,700) for decryption.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?