TellYouThePass Ransomware Attack Detection: Hackers Exploit CVE-2024-4577 to Install Web Shells and Drop Malware 

The TellYouThePass ransomware operators have been spotted behind a novel adversary campaign leveraging the PHP-CGI vulnerability tracked as CVE-2024-4577. Adversaries weaponize the flaw to upload web shells and distribute TellYouThePass ransomware on compromised instances.

Detect TellYouThePass Ransomware Campaign

In light of the newly uncovered PHP-CGI bug being swiftly weaponized for in-the-wild attacks, facilitating the distribution of TellYouThePass ransomware, security professionals must proactively address this emerging threat. To detect potential TellYouThePass intrusions in their earliest stages, the SOC Prime Platform for collective cyber defense provides a dedicated set of Sigma rules.

Just hit the Explore Detections button below and immediately drill down to the relevant detection stack compatible with 30+ SIEM, EDR, and Data Lake technologies. All the rules are enriched with actionable CTI, accompanied by extensive metadata, and mapped to the MITRE ATT&CK® framework to smooth out the threat investigation. 

Explore Detections

With TellYouThePass operators being among the first to leverage the CVE-2024-4577 bug in ongoing campaigns, cyber defenders might expect further weaponization attempts for this flaw. To detect associated exploits, use a Sigma rule listed below. 

Possible CVE-2024-4577 (PHP Remote Code Execution) Exploitation Attempt (via webserver)

For those seeking more curated content addressing the Proactive Vulnerability Detection use case, SOC Prime Platform aggregates the largest collection of curated algorithms available with this link.

TellYouThePass Ransomware Attack Analysis

The Imperva Threat Research team recently notified the global cyber defender community of ongoing attacks weaponizing the critical PHP flaw known as CVE-2024-4577 to further infect the target instances with ransomware. According to the research, the adversary activity has been active since the first decade of June and can be linked to the TellYouThePass ransomware operations. 

TellYouThePass is a basic ransomware strain that has been in the cyber threat arena for half a decade. The ransomware has made a comeback, coinciding with the exploitation of Log4j vulnerabilities.

The Imperva analysis uncovered a set of offensive TellYouThePass attacks aimed at uploading web shells and distributing malicious samples on impacted instances. Ransomware operators exploited CVE-2024-3577 to run arbitrary PHP code on the impacted devices. They used the latter to run an HTML application file hosted on the adversary web server via the mshta.exe binary. Mshta.exe, a native Windows LOLBin capable of executing remote payloads, suggests that the attackers are leveraging a “living-off-the-land” approach.

The TellYouThePass ransomware leveraged in the most recent campaign appears in the form of .NET samples delivered via HTML applications. The infection flow begins with the delivery of an HTA file with the malicious VBScript. Upon activation, the ransomware sends an HTTP request to the C2 server, concealing device details within what appears to be a request for CSS resources to evade detection. It also generates a “READ_ME10.html” ransom note, offering instructions for recovering files.

To mitigate the risks of emerging ransomware attacks defenders recommend staying constantly vigilant and timely implementing vulnerability patching. Since in-the-wild attacks leveraging CVE-2024-4577 might have already exposed 450K+ PHP servers, primarily hosted in the U.S. and Germany, according to stats by Censys, it’s imperative to strengthen enterprise security. SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation serves as an all-in-one solution to proactively defend against emerging and persistent threats and equip your organization with advanced defensive capabilities to disrupt adversaries before they strike.