PHP Vulnerability Exploited to Deploy Crypto Miners and Remote Access Trojans
Cybercriminals are actively exploiting a critical security flaw in PHP (CVE-2024-4577) to deploy cryptocurrency miners and remote access trojans (RATs), such as Quasar RAT.
Hackers Target Windows-Based PHP Servers to Spread Quasar RAT and XMRig
Cybercriminals are actively exploiting a critical security flaw in PHP (CVE-2024-4577) to deploy cryptocurrency miners and remote access trojans (RATs), such as Quasar RAT.
The flaw, which affects Windows-based systems running PHP in CGI mode, allows attackers to execute arbitrary code remotely.
Surge in Exploitation Attempts
According to cybersecurity firm Bitdefender, the number of attacks leveraging this vulnerability has increased significantly since late 2023, with Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%) being the primary targets.
Bitdefender's analysis revealed that:
???? 15% of attacks conducted basic vulnerability tests using commands like whoami and echo <test_string>.
???? Another 15% focused on system reconnaissance, gathering information on network configurations, running processes, and user credentials.
???? Around 5% of attacks resulted in the deployment of the XMRig cryptocurrency miner.
Stealthy Crypto Mining Operations
In some cases, attackers deployed Nicehash miners, disguising them as legitimate processes like javawindows.exe to evade detection.
Martin Zugec, Technical Solutions Director at Bitdefender, noted that some rival cryptojacking groups appear to be competing for control over compromised systems. In an unusual move, some attackers were seen modifying firewall configurations to block access to known malicious IPs, effectively preventing other hackers from exploiting the same vulnerable servers.
Quasar RAT and Malicious MSI Deployments
Aside from cryptomining, threat actors have also used the vulnerability to deliver Quasar RAT, an open-source remote access trojan, and malicious Windows Installer (MSI) files hosted on external servers.
Mitigation Strategies
The rise in these attacks highlights the need for organizations to secure their PHP installations. Bitdefender recommends:
✅ Updating PHP to the latest version to patch the vulnerability.
✅ Restricting the use of Living-off-the-Land (LOTL) tools like PowerShell to privileged administrators.
✅ Monitoring network traffic for unusual activity, particularly outbound connections to mining pools or command-and-control (C2) servers.
Ongoing Threat Landscape
The revelations follow Cisco Talos' recent findings of PHP-based cyberattacks targeting Japanese organizations earlier this year. As hackers continue to refine their techniques, keeping systems updated and implementing strong security policies remains critical to preventing further exploitation.
