Cyber Security News

PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner

Researchers observed a URL attempts to exploit a server-side vulnerability by executing multiple commands through PHP’s system() function.

It downloads a malicious executable from a remote server, executes it locally, and attempts to download the same executable using wget while bypassing SSL certificate verification.

It exploits a vulnerability in a web server running a PHP CGI script and leverages a command injection flaw to download a malicious executable named “dr0p.exe” from a remote server. 

The code attempts to download the executable using curl first and then falls back to wget if curl fails, while the downloaded executable is then executed locally on the server.

The executable, likely a downloader, was recently submitted to VirusTotal, where a quick search revealed its SHA256 hash, which can be used to identify and potentially block the malware based on its unique digital fingerprint.

Reverse engineering of dr0p.exe revealed it downloads pkt1.exe from a US-based server (23.27.51.244) hosting the EvilBit Block Explorer on port 80, and the server also exposes ports 22, 110, and 6664.

Querying 23.27.51.244 on Shodan

The analysis reveals that the malware pkt1.exe launches packetcrypt.exe, likely a cryptocurrency miner, while supplying a PKT Classic wallet address (“pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a”) as an argument. 

While PKTC blockchain Explorer indicates that this wallet has accumulated approximately 5 PKTC, valued at roughly 0.0021785 USDT based on current market prices.

The web URL activity likely targets vulnerable PHP servers by potentially exploiting CVE-2024-4577 or misconfigurations that allow public access to php-cgi.exe.

This highlights the critical need for regular security patching and auditing of web servers to mitigate vulnerabilities and prevent performance issues caused by threats like crypto miners.

PacketCrypt Classic (PKTC) Wallet Activity

SANS investigation revealed that the cryptocurrency mined on compromised PHP servers was PKTC, a legacy proof-of-work coin from the PacketCrypt project.

The current PacketCrypt project utilizes a Stake-to-Earn model and issues a different cryptocurrency, also named PKT. 

The incident involves the malicious IP address 23.27.51.244 distributing the malware pkt1.exe (SHA256: e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562), which likely drops dr0p.exe (SHA256: d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36) and packetcrypt.exe (SHA256: 717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397). 

The attack may be linked to the cryptocurrency wallet address PKTC Wallet Address: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Blue Shield Exposed Health Data of 4.7 Million via Google Ads

Blue Shield of California has disclosed a significant data privacy incident affecting up to 4.7…

46 minutes ago

Microsoft Offers $30,000 Bounties for AI Security Flaws

Microsoft has launched a new bounty program that offers up to $30,000 to security researchers…

1 hour ago

The Human Firewall: Strengthening Your Weakest Security Link

Despite billions spent annually on cybersecurity technology, organizations continue to experience breaches with alarming frequency.…

2 hours ago

WhatsApp Launches Advanced Privacy Tool to Secure Private Chats

WhatsApp, the world’s leading messaging platform, has unveiled a major privacy upgrade called "Advanced Chat…

2 hours ago

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication…

16 hours ago

Threat Actors Leverage TAG-124 Infrastructure to Deliver Malicious Payloads

In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities,…

16 hours ago